Protecting wp-admin from bots
The most common attack on a wordpress site it the login page. Weak or compromised passwords are used by automated bots that will hit thousands of sites a day trying multiple username/password combinations.
In this article I will show you how to use .htaccess with nginx on Unbunt (or any Debian system) to prevent bots from accessing your WordPress login url.
First of all install apache2-utils:
sudo apt-get update -y;
sudo apt-get install -y apache2-utils;Create a .htpassed file
sudo htpasswd -c /var/www/.htpasswd mysiteadminusernameamajiggerEdit your /etc/nginx/sites-available/vhost file to add:
location /wp-login.php {
auth_basic "Administrators Area";
auth_basic_user_file /var/www/.htpasswd;
}
location /wp-admin {
auth_basic "Administrators Area";
auth_basic_user_file /var/www/.htpasswd;
}
Full example of my own file :
server {
root /var/www/impressto.net;
index index.php index.html index.nginx-debian.html;
server_name impressto.net www.impressto.net;
location / {
root /var/www/impressto.net;
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php?q=$1 last;
}
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
location /wp-login.php {
auth_basic "Administrators Area";
auth_basic_user_file /var/www/.htpasswd;
}
location /wp-admin {
auth_basic "Administrators Area";
auth_basic_user_file /var/www/.htpasswd;
}
}Now test your config:
sudo nginx -t;If no errors shown restart nginx
sudo systemctl restart nginx;Now it you go to your wp-admin url you will get a blocking password prompy. This will block most automated bots.