I found a site that posted a blog about this exact scenario and it also protects wp-login.php too so I copied their code, location ~ ^/blog/(wp-admin|wp-login\.php) { allow 111.111.111.111; deny all; } This code ALSO triggers a download when the authorized IP connects to wp-admin. Seriously confused why it's doing this.by aglyons - How to...
So the site was hacked.! I fixed it up and have some security installed now but I've got to be in a list of vulnerable sites as the server is getting hammered daily. In an attempt to lessen the load I decided to protect the WP-ADMIN folder with a location directive allowing me in (by IP) and denying everyone else. I decided to redirect the denied back to the home page. It worked but thenby aglyons - How to...