As soon as any server is set up on the net, it will immediately see attempts at loading the /wp-login.php page. If you actually have a WordPress site set up, you’ll quickly start receiving lots and lots of login attempts. You can stop this completely by limiting access to /wp-login.php and /wp-admin by IP address in Nginx (and Debian/Ubuntu). It’s pretty simple. Here’s how:

In your site’s nginx server block, add an include for the wordpress IP address configuration (this separate config file is handy for multiple WordPress sites, if you have more than one WordPress site on your server).

nano /etc/nginx/sites-available/wordpress

server {

        …

 

        include /etc/nginx/snippets/wordpress.conf;

 

        …

 

        }

 

Create a file at /etc/nginx/snippets/wordpress.conf

location = /wp-login.php {

         include snippets/blockips.conf;

         include snippets/fastcgi-php.conf;

         fastcgi_pass unix:/run/php/php7.3-fpm.sock;

 }

 location = /wp-admin/ {

         include snippets/blockips.conf;

         include snippets/fastcgi-php.conf;

         fastcgi_pass unix:/run/php/php7.3-fpm.sock;

 }

 

 

Then create a file that will list the IP addresses that will be permitted to access your WordPress admin at /etc/nginx/snippets/blockips.conf

allow 192.168.100.8; #description

allow 181.199.71.209; #description

deny all; 

 

This will allow the three IP addresses listed above (of course, replace with the IPs you’d like to allow) to access your WordPress admin page. Everything else will be denied. Add a little description to the end of each line in order to keep track of which IP addresses you’re adding. 

Then restart Nginx

systemctl reload nginx.service