How to block wp-login flooding requests with Nginx

on english, nginx, wordpress

Recently after I moved my blog to Ghost, I saw in the logs this:

WTF

Constantly the server received a lot of bot requests hitting /wp-admin, /wp-login and more...
The screen full of wp-login flooding requests

How to fix it

Please note this solution is only recommended for no Wordpress websites.

Open your Nginx config file, usually on /etc/nginx/nginx.conf.

On your domain's server block, add this:

location ~* /(wp-admin|wp-login|wp-content|xmlrpc) {
    deny all;
    return 403;
}

Note:

  • Case insensitive matching, so wp-admin and WP-ADMIN both will be denied.
  • Regular expression: /wp-admin, /wp-admin.php or /wp-admin/whatever will be denied too.
  • It will deny only if starts with /, not if you have any keyword on the URL and since you won't put a /{{keyword}} in a URL, this is safe.
  • If want to add more keywords, for example whatever, just change:
location ~* /(wp-admin|wp-login|wp-content|upload|xmlrpc) {

to:

location ~* /(wp-admin|wp-login|wp-content|upload|xmlrpc|whatever) {

Yeah, just add |whatever inside ()

Don't forget

Finally you should restart Nginx to have the changes working

sudo service nginx restart

Now your server will be more relaxed and probably will serve the requests faster.

Share if helped you or you liked it :)

David Burgos

Read more posts by this author.