Following my last post about how to ensure a bit more our wordpress instance, today I implemented some basic rules for nginx that can be useful to block some automate brute force attacks to our wordpress administration panel generated by bots or vulnerability software scanners and save more cpu time in our server. Obviously the best method is limiting the access to admin url for some IP’s, but not always is possible.

Basically the idea is block requests like that:

xx.xx.xx.xx - - [01/Apr/2014:17:04:42 +0100] "POST /wp-login.php HTTP/1.0" 200 3974 "-" "-"

Basically a variable called $bot is defined inside the server clause initialized to 1. Some patterns of the http request are checked, if this pattern is matched, nginx will append one 0 to this variable. This patterns consists in:

1.- Check if is a HTTP/1.0 request.
2.- Check if the request method is POST.
3.- Check if the uri requested is /wp-admin or /wp-login.php
4.- Check if the host http header requested doesn’t match with our domain.
5.- Check if the referrer server_name http header doesn’t match with our domain.

Combining this patterns we can block some bots avoiding false positives using old browsers that uses HTTP/1.0. At the end of the checks, if it matches with at least 4 conditions, the request will be blocked returning a 444 response code.

set $bot 1;
valid_referers server_names ~(;
if ($server_protocol ~* "HTTP/1.0") {
set $bot  "${bot}0";
if ($request_method = POST) {
set $bot  "${bot}0";
if ($request_uri ~* ^/(wp-admin|wp-login\.php)){
set $bot  "${bot}0";
if ($http_host !~* ([a-z0-9]+\.)*yourdomain\.com ){
set $bot  "${bot}0";
if ($invalid_referer) {
set $bot  "${bot}0";

if ($bot ~* ^10000){
return 444;

There are more sophisticated methods to bock brute force requests like using a WAF (web application firewall) using mod_security for apache or naxsi for nginx, or even using fail2ban. But from an easy and fast way you can implement this rules. You can take a look with more detail on the different methods on this url:

Source documentation:

nginx rules to protect wordpress admin
Tagged on:     

2 thoughts on “nginx rules to protect wordpress admin

  • May 29, 2014 at 20:38

    Great tips!
    You might also want to put this rule inside nginx.conf file:

    limit_req_zone $binary_remote_addr zone=app:10m rate=2r/s;

    This way you can also block the well-known flood attacks that could overload and reach the limit inside fastcgi processes.

    • June 15, 2014 at 17:05

      Nice! Good way to limit the number of requests. Thanks for share it Lucian! 😀


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Get every new post delivered to your Inbox

Join other followers: