Protecting wp-admin from bots

The most common attack on a wordpress site it the login page. Weak or compromised passwords are used by automated bots that will hit thousands of sites a day trying multiple username/password combinations. 

 In this article I will show you how to use .htaccess with nginx on Unbunt (or any Debian system) to prevent bots from accessing your WordPress login url. 

   

 First of all install apache2-utils: 

 sudo apt-get update -y;

sudo apt-get install -y apache2-utils; 

 Create a .htpassed file 

 sudo htpasswd -c /var/www/.htpasswd mysiteadminusernameamajigger 

 Edit your /etc/nginx/sites-available/vhost file to add: 

 	location /wp-login.php {

 	 auth_basic "Administrators Area";

	 auth_basic_user_file /var/www/.htpasswd; 

	}

	location /wp-admin {

 	 auth_basic "Administrators Area";

	 auth_basic_user_file /var/www/.htpasswd; 

	}

 

 Full example of my own file : 

 server {

 root /var/www/impressto.net;

 index index.php index.html index.nginx-debian.html;

 server_name impressto.net www.impressto.net;

 location / {

 root /var/www/impressto.net;

 if (!-e $request_filename) {

 rewrite ^/(.*)$ /index.php?q=$1 last;

 }

 }

 location ~ \.php$ {

 include snippets/fastcgi-php.conf;

 fastcgi_pass unix:/run/php/php7.4-fpm.sock;

 }

 location /wp-login.php {

 auth_basic "Administrators Area";

 auth_basic_user_file /var/www/.htpasswd; 

 }

 location /wp-admin {

 auth_basic "Administrators Area";

 auth_basic_user_file /var/www/.htpasswd; 

 }

} 

 Now test your config: 

 sudo nginx -t; 

 If no errors shown restart nginx 

 sudo systemctl restart nginx; 

 Now it you go to your wp-admin url you will get a blocking password prompy. This will block most automated bots.