{"id":48049,"date":"2025-01-30T16:15:07","date_gmt":"2025-01-30T16:15:07","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=48049"},"modified":"2025-01-30T16:15:07","modified_gmt":"2025-01-30T16:15:07","slug":"block-ips-nginx-wordpress-login","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2025\/01\/block-ips-nginx-wordpress-login\/","title":{"rendered":"How to Block IPs in Nginx \/ WordPress Login Page"},"content":{"rendered":"

\"\"<\/a><\/p>\n

This is a step by step beginner’s guide shows how to configure Nginx to block certain IPs or IP range from accessing your website, and block all others while only you (and specified IPs) can access the wordpress login pages.<\/p>\n

This site was under attack a few days ago. Someone made tens of thousands of constant requests that slowed down the server response. And, here’s what I did to manually block attacker’s IPs and restrict access to the login page.
\n<\/p>\n

NOTE: For large amount of DDoS attack, it’s recommended to use 3rd party tools\/services, e.g., fail2ban<\/a> or CloudFlare<\/a>, to mitigate by automatically banning the IPs.<\/b><\/p>\n

Step 1: Find out Attacker’s IPs<\/h3>\n

1. First, connect to your Linux server and run command to edit Nginx configuration file:<\/p>\n

sudo nano \/etc\/nginx\/nginx.conf<\/pre>\n
Then, make sure it includes the access_log \/var\/log\/nginx\/access.log;<\/code> line for the access log.<\/p>\n
2. If access log was not enabled, then you need to manually add that line and save file (press Ctrl+S then Ctrl+X).<\/p>\n
And, apply change by doing configuration check and restarting the service:<\/p>\n
sudo nginx -t<\/pre>\n
sudo systemctl restart nginx.service<\/pre>\n
3. Without browsing the log file and counting the IP accesses manually, you may run the single command below in server:<\/p>\n
sudo awk '{print $1}' \/var\/log\/nginx\/access.log | sort | uniq -c | sort -nr |more<\/pre>\n
This command will look for the log file (\/var\/log\/nginx\/access.log<\/code>) and print the top IPs and count how many requests they sent.<\/p>\n
\"\"<\/a><\/p>\n
NOTE: If you use CloudFlare CDN for your website, then Nginx by default does NOT show the real IPs from visitors.<\/b><\/p>\n
In the case, you need to create a configuration file for Nginx by running the command below in server:<\/p>\n
sudo nano \/etc\/nginx\/conf.d\/nginx-cloudflare-realip.conf<\/pre>\n
Then, add following lines to tell to show the real IPs for visits from CloudFlare:<\/p>\n
set_real_ip_from 173.245.48.0\/20;\r\nset_real_ip_from 103.21.244.0\/22;\r\nset_real_ip_from 103.22.200.0\/22;\r\nset_real_ip_from 103.31.4.0\/22;\r\nset_real_ip_from 141.101.64.0\/18;\r\nset_real_ip_from 108.162.192.0\/18;\r\nset_real_ip_from 190.93.240.0\/20;\r\nset_real_ip_from 188.114.96.0\/20;\r\nset_real_ip_from 197.234.240.0\/22;\r\nset_real_ip_from 198.41.128.0\/17;\r\nset_real_ip_from 162.158.0.0\/15;\r\nset_real_ip_from 104.16.0.0\/13;\r\nset_real_ip_from 104.24.0.0\/14;\r\nset_real_ip_from 172.64.0.0\/13;\r\nset_real_ip_from 172.70.0.0\/16;\r\nset_real_ip_from 131.0.72.0\/22;\r\nset_real_ip_from 2400:cb00::\/32;\r\nset_real_ip_from 2606:4700::\/32;\r\nset_real_ip_from 2803:f800::\/32;\r\nset_real_ip_from 2405:b500::\/32;\r\nset_real_ip_from 2405:8100::\/32;\r\nset_real_ip_from 2a06:98c0::\/29;\r\nset_real_ip_from 2c0f:f248::\/32;\r\n#real_ip_header CF-Connecting-IP;\r\nreal_ip_header X-Forwarded-For;<\/pre>\n
Then, press Ctrl+S<\/code> to save file and Ctrl+X<\/code> to exit. Finally, run the 2 commands mentioned above to check configuration and restart service.<\/p>\n
NOTE 1: Cloudflare may add\/remove IPs in future! See this page<\/a> for the latest.
\nNOTE 2: This configuration needs ngx_http_realip_module<\/a> model, which is enabled by default in Ubuntu & Debian.<\/p>\n
\"\"<\/a><\/p>\n
Step 2: Block IPs or IP range in Nginx<\/h3>\n
Once you found out the attacker’s IP addresses, run command below to create a configuration file:<\/p>\n
sudo nano \/etc\/nginx\/conf.d\/block.conf<\/pre>\n
Then, add similar lines below to tell to block certain IPs and IP range (replace IP addresses below with the ones you got in last step<\/i><\/b>) for all the NGINX web servers in this host:<\/p>\n
deny 206.189.129.37;\r\ndeny 143.110.180.216;\r\ndeny 167.172.87.180;\r\ndeny 167.99.77.92;\r\ndeny 152.42.178.38;\r\ndeny 2600:3c03::f03c:91ff:fe69:a353;\r\ndeny 139.59.108.0\/24;\r\ndeny 128.199.0.0\/16;<\/pre>\n
Here deny 139.59.108.0\/24;<\/code> means to block IP range from ‘139.59.108.0’ to ‘139.59.108.255’. And, 128.199.0.0\/16;<\/code> means IP range from ‘128.199.0.0’ to ‘128.199.255.255’. You may replace them accordingly for your desired IP range.<\/p>\n
\"\"<\/a><\/p>\n
For choice, you may use the rules below instead to allow only IP 1.2.3.4<\/code> and 2.3.4.5<\/code> (replace accordingly) but block all others.<\/p>\n
allow 1.2.3.4;\r\nallow 2.3.4.5;\r\ndeny all;<\/pre>\n
When done editing the file, press Ctrl+S to save and Ctrl+X to exit. Finally, check configuration and restart service to apply changes:<\/p>\n
sudo nginx -t<\/pre>\n
sudo systemctl restart nginx.service<\/pre>\n
Step 3: Restrict Access to WordPress Login Page (wp-admin, wp-login.php)<\/h3>\n
For wordpress website, it’s a good choice to block all others from visiting the wp-admin\/wp-login.php page, leaving only you and users from specified IP addresses being able to access.<\/p>\n
1. First, connect to the Linux server and run command to edit the Nginx configuration file for your website:<\/p>\n
sudo nano \/etc\/nginx\/sites-available\/wordpress<\/pre>\n
In command you need to replace file-name wordpress<\/code> with yours. Use ls \/etc\/nginx\/sites-available<\/code> to list all files in that directory.<\/p>\n
2. When files opens, scroll down and add “location = \/wp-login.php{}<\/b>” block with similar rules below:<\/p>\n
location = \/wp-login.php {\r\n    allow 1.2.3.4;\r\n    allow 2.3.4.5;\r\n    deny all;\r\n}<\/pre>\n
Here replace 1.2.3.4<\/code> and 2.3.4.5<\/code> with the IPs you want to allow them to access the login page. And, you may add more or remove allow<\/code> lines to add\/remove IPs.<\/p>\n
NOTE: Both\u00a0“location = \/wp-login.php {}” and “location ~ \/.php$ {}” (meaning any end with ‘.php’<\/i>) blocks match the wordpress login page URL (wp-login.php), but the former one has higher priority.<\/b><\/p>\n
Meaning when visiting wp-login.php<\/code> page, rules under location ~ \/.php$<\/code> will be ignored! In the case, it may try downloading file instead of rendering the web page.<\/p>\n
To workaround it, you also need to add the rules under “location ~ \/.php$ {}<\/code>” , so it will look like:<\/p>\n
location = \/wp-login.php {\r\n    include snippets\/fastcgi-php.conf;<\/b>\r\n    fastcgi_pass unix:\/run\/php\/php8.4-fpm.sock;<\/b>\r\n    allow 1.2.3.4;\r\n    allow 2.3.4.5;\r\n    deny all;\r\n}<\/pre>\n
NOTE: you need to replace include snippets\/fastcgi-php.conf;<\/code> and fastcgi_pass unix:\/run\/php\/php8.4-fpm.sock;<\/code> according to the rules under “location ~\\.php$ {}” block.<\/p>\n
\"\"<\/a><\/p>\n
When done. Save file (press Ctrl+S, then Ctrl+X), check configuration and restart service to apply changes.<\/p>\n
sudo nginx -t<\/pre>\n
sudo systemctl restart nginx.service<\/pre>\n
Tips:<\/b> After made changes to location<\/code> blocks, you may need to clear browser cache then verify if it works.<\/p>\n
More about Nginx location blocks<\/h3>\n
Nginx configuration has different types of location blocks. They include:<\/p>\n
    \n
  • location \/abc<\/code> – prefix match, example.com\/abc<\/em>, example.com\/abcde<\/em>, example.com\/abc\/123<\/em>, example.com\/abc?123<\/em>.<\/li>\n
  • location = \/abc<\/code>, exact match, example.com\/abc<\/em>, example.com\/abc?123<\/em>, but NOT for example.com\/abcde<\/em>, example.com\/abc\/<\/em>.<\/li>\n
  • location ~ ^\/abc$<\/code>, regex matches example.com\/abc<\/em>, example.com\/abc?123<\/em>, but NOT for example.com\/abcde<\/em>, example.com\/abc\/<\/em>.<\/li>\n
  • location ~* ^\/abc$<\/code>, similar to location ~ ^\/abc$<\/code> but case-insensitive. It also matches example.com\/ABC<\/em>.<\/li>\n
  • location ^~ \/abc<\/code>, similar to location \/abc<\/code>, but higher priority and no regex.<\/li>\n<\/ul>\n
    The priority from high to low: location =<\/code> ><\/b> location ^~<\/code> ><\/b> location ~<\/code> = location ~*<\/code> ><\/b> location \/<\/code>.<\/p>","protected":false},"excerpt":{"rendered":"
    This is a step by step beginner’s guide shows how to configure Nginx to block certain IPs or IP range from accessing your website, and block all others while only you (and specified IPs) can access the wordpress login pages. This site was under attack a few days ago. Someone made tens of thousands of […]<\/p>\n","protected":false},"author":1,"featured_media":45344,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[2057],"class_list":["post-48049","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-web"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/48049","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/comments?post=48049"}],"version-history":[{"count":0,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/48049\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media\/45344"}],"wp:attachment":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media?parent=48049"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/categories?post=48049"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/tags?post=48049"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}