As soon as any server is set up on the net, it will immediately see attempts at loading the /wp-login.php page. If you actually have a WordPress site set up, you’ll quickly start receiving lots and lots of login attempts. You can stop this completely by limiting access to /wp-login.php and /wp-admin by IP address in nginx (and Debian/Ubuntu). It’s pretty simple. Here’s how:
In your site’s nginx server block, add an include for the wordpress IP address configuration (this separate config file is handy for multiple WordPress sites, if you have more than one WordPress site on your server).
server {
...
include /etc/nginx/snippets/wordpress.conf;
...
}
Create a file at /etc/nginx/snippets/wordpress.conf:
location = /wp-login.php {
include snippets/blockips.conf;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
location = /wp-admin/ {
include snippets/blockips.conf;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
Then create a file that will list the IP addresses that will be permitted to access your WordPress admin at /etc/nginx/snippets/blockips.conf:
allow 0.0.0.0; #description
allow 0.0.0.0; #description2
allow ffff:ffff:ffff; #description3
deny all;
This will allow the three IP addresses listed above (of course, replace with the IPs you’d like to allow) to access your WordPress admin page. Everything else will be denied. Add a little description to the end of each line in order to keep track of which IP addresses you’re adding.
Then restart nginx:
service nginx restart
And you’re good to go.
The first time you log in, WP might complain about cookies. Just try to log in again.