Welcome! Log In Create A New Profile


Protecting wp-admin

Posted by aglyons 
Protecting wp-admin
February 24, 2020 09:23PM
So the site was hacked.!

I fixed it up and have some security installed now but I've got to be in a list of vulnerable sites as the server is getting hammered daily.

In an attempt to lessen the load I decided to protect the WP-ADMIN folder with a location directive allowing me in (by IP) and denying everyone else. I decided to redirect the denied back to the home page.

It worked but then I decided to expand the allowed IP address to cover a subnet using CIDR. The second I did that, the location block doesn't let me access wp-admin and instead, triggers a download of the wp-admin index file in raw unprocessed PHP.

I then took out the CIDR and put the single IP back in and it still did the same thing. I've cleared the server cache and browser cache. I tried loading the page in incognito. I took out the redirect part and still, it will not let me in wp-admin and instead triggers the download.

At a loss as to why it's started doing this. Any ideas.

# Protect WPAdmin Directory
location ^~ /wp-admin/ {
error_page 403 =301 https:/mywebsiteurl.com/;
allow; #my external IP address
deny all;
Re: Protecting wp-admin
February 24, 2020 11:31PM
I found a site that posted a blog about this exact scenario and it also protects wp-login.php too so I copied their code,

location ~ ^/blog/(wp-admin|wp-login\.php) {
deny all;

This code ALSO triggers a download when the authorized IP connects to wp-admin. Seriously confused why it's doing this.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 89
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready