# Nginx Wordpress Security?

## drillsar

I am trying to lockdown wordpress and the following configuration not working it blocks the whole admin..

Any other security I should use for Wordpress?

How do you deny access to wp-admin but allow admin-ajax,php?

```

location ~ ^/(wp-admin|wp-login\.php) { allow 111.111.111.111; deny all; }

location ~ ^/wp-admin/admin-ajax.php$ { allow all;  }

```

----------

## drillsar

I got it somewhat working but only if I add 192.168.1.1 so obviously something wrong with /etc/hosts or something else.

```
 Always allow plugins, etc, access to 'admin-ajax.php'

    location ~ /wp-admin/admin-ajax\.php$ {

        include /etc/nginx/fastcgi_params;

        fastcgi_pass 127.0.0.1:9000;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        fastcgi_read_timeout 300;

        fastcgi_index index.php;

        fastcgi_param  SCRIPT_FILENAME /srv/giftboundgifts.com/html$fastcgi_script_name;

        allow all;

}

# Deny access to php files under the 'wp-admin' dir, and 'wp-login.php'

    location ~ (/wp-admin/.*\.php|wp-login\.php$) {

        include /etc/nginx/fastcgi_params;

        fastcgi_pass 127.0.0.1:9000;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        fastcgi_read_timeout 300;

        fastcgi_index index.php;

        fastcgi_param  SCRIPT_FILENAME /srv/giftboundgifts.com/html$fastcgi_script_name;

        allow 192.168.1.1;

        allow 192.168.1.242;

        deny all;

}

```

my /etc/hosts file my hostname is otto; my website is giftboundgifts.com

```
127.0.0.1       otto localhost

::1             localhost

192.168.1.242   otto.giftboundgifts.com otto

```

----------

## Hu

 *drillsar wrote:*   

> I am trying to lockdown wordpress and the following configuration not working it blocks the whole admin..

 What do the server logs say when this happens? *drillsar wrote:*   

> Any other security I should use for Wordpress?

 I'd start by changing the permissions for the Wordpress root directory to 0 (no access), then remounting the filesystem read-only for good measure.  That should prevent malicious access, assuming your webserver respects filesystem permissions.  It will have some negative effects on usability, but given the security history of Wordpress, I think it's a reasonable trade-off. *drillsar wrote:*   

> I got it somewhat working but only if I add 192.168.1.1 so obviously something wrong with /etc/hosts or something else.

 Please explain the connection here.  The server should not be inspecting /etc/hosts when implementing its access control.  However, it seems plausible that if you access the server on a private IP, it will see a private client IP and base its decision on that.  The server access logs would confirm this.

[Edit: fixed the ordering of suggestions.  The directory permissions cannot be changed if the filesystem is made read-only first.]

----------

## spica

 *drillsar wrote:*   

> I am trying to lockdown wordpress and the following configuration not working it blocks the whole admin..
> 
> Any other security I should use for Wordpress?
> 
> How do you deny access to wp-admin but allow admin-ajax,php?
> ...

 

1 ~ ^/(wp-admin|wp-login\.php) this will match anything starting with /wp-admin. This is where admin is blocked.

2 ~ ^/wp-admin/admin-ajax.php$ this will not be matched because it looks like location 1 takes precedence. 

If you know the full path to the file try using exact match "=" – it has the highest priority.

----------

