4 thoughts on “Protecting the WordPress login in nginx”

  1. Thanks so much for this, the configuration worked like a charm. Successfully stopped a massive brute force attack on a site I manage.

    1. I strongly recommend against doing so, and intentionally didn’t note how to accomplish this in my post. Protecting wp-login.php and xmlrpc.php are sufficient. Since the WordPress Ajax endpoints live in wp-admin, placing basic authentication protection on the entire directory will break many themes and plugins, in ways that will be quite apparent to your end users. Since WordPress redirects any unauthenticated wp-admin requests to wp-login.php, protecting the latter inherently benefits the former.

Comments are closed.