4 thoughts on “Protecting the WordPress login in nginx”

  1. Thanks so much for this, the configuration worked like a charm. Successfully stopped a massive brute force attack on a site I manage.

    1. I strongly recommend against doing so, and intentionally didn’t note how to accomplish this in my post. Protecting wp-login.php and xmlrpc.php are sufficient. Since the WordPress Ajax endpoints live in wp-admin, placing basic authentication protection on the entire directory will break many themes and plugins, in ways that will be quite apparent to your end users. Since WordPress redirects any unauthenticated wp-admin requests to wp-login.php, protecting the latter inherently benefits the former.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Learn More)