How To Protect WordPress Admin Page In Nginx?

There are numerous ways to protect the admin page for your WordPress site. Whether you are using Nginx as a reverse proxy or as a standalone webserver, you can easily protect the admin page with just a few lines of code. In this basic tutorial, we will first put an IP restriction to WordPress admin page, which is behind a Nginx reverse proxy setup. If your Nginx is not working as reverse proxy, then you can skip to second step.

How To Put IP Restriction In Nginx Reverse Proxy ?

When Nginx is used as a reverse proxy for a WordPress installation, which runs on Apache, we should bypass Nginx’s caching mechanism and proxy_pass requests to Apache. In the following code snippet for virtual.conf, we are limiting admin page to a single IP:

How To Password Protect WordPress Admin Directory In Nginx ?

Another way to protect WordPress admin page is to employ authentication directives in Nginx. We can password protect the wp-admin directory easily. By using Apache’s htpasswd command we can create a password file for a user as follows:

The .htpasswd file should be placed somewhere outside of your site’s root directory. Now we reference this file in Nginx’s virtual.conf file as follows:

To make things even more secure, you can add allow/deny directive to restrict IP. Don’t forget to replace # PHP Handler with the directives needed by your configuration to process PHP requests.