I am trying shut the access the wp-admin with the following codes.
Yes, it works if I go to example.com/wp-admin, I will get blocked. However, if I am signed in as admin and I type example.com/wp-admin/index.php, I still can get in and play around with the dashboard.
Or, I can just simply type example.com/wp-admin/index.php and can still log in from there.
How do I correct this so that there is no access at all on */wp-admin/(whatever)? Except ajax.
Or, is there any method to shut admin dashboard (e.g. from wp setting, etc.)?
Thanks a lot for your time
# Deny brute force access to wp-login.php
location = /wp-login\.php {
limit_req zone=one burst=1 nodelay;
fastcgi_pass unix:/var/run/php7.3-fpm.sock;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Don't cache uris containing the following segments
if ($request_uri ~* "/wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
# Block wp-admin by IP
location ~* ^/wp-(admin\.php|login\.php|admin/*$|admin/.*\.php) {
deny all;
error_page 403 = @wp_admin_ban;
}
location @wp_admin_ban {
rewrite ^(.*) https://example.com permanent;
}
location /wp-admin/admin-ajax.php {
allow all;
}
It doesn't seem to work. I can still go to example.com/wp-admin/index.php and log in from there
There's probably another, more specific rule, in your nginx config that's overriding the regex.
This is the only related code for wp-admin ### Add trailing slash to */wp-admin requests### rewrite /wp-admin$ $scheme://$host$uri/ permanent;