So the site was hacked.!

I fixed it up and have some security installed now but I've got to be in a list of vulnerable sites as the server is getting hammered daily.

In an attempt to lessen the load I decided to protect the WP-ADMIN folder with a location directive allowing me in (by IP) and denying everyone else. I decided to redirect the denied back to the home page.

It worked but then I decided to expand the allowed IP address to cover a subnet using CIDR. The second I did that, the location block doesn't let me access wp-admin and instead, triggers a download of the wp-admin index file in raw unprocessed PHP.

I then took out the CIDR and put the single IP back in and it still did the same thing. I've cleared the server cache and browser cache. I tried loading the page in incognito. I took out the redirect part and still, it will not let me in wp-admin and instead triggers the download.

At a loss as to why it's started doing this. Any ideas.



# Protect WPAdmin Directory
location ^~ /wp-admin/ {
error_page 403 =301 https:/mywebsiteurl.com/;
allow 111.111.111.111; #my external IP address
deny all;
}

I found a site that posted a blog about this exact scenario and it also protects wp-login.php too so I copied their code,

location ~ ^/blog/(wp-admin|wp-login\.php) {
allow 111.111.111.111;
deny all;
}

This code ALSO triggers a download when the authorized IP connects to wp-admin. Seriously confused why it's doing this.