I am trying shut the access the wp-admin with the following codes.
Yes, it works if I go to example.com/wp-admin, I will get blocked. However, if I am signed in as admin and I type example.com/wp-admin/index.php, I still can get in and play around with the dashboard.
Or, I can just simply type example.com/wp-admin/index.php and can still log in from there.
How do I correct this so that there is no access at all on */wp-admin/(whatever)? Except ajax.
Or, is there any method to shut admin dashboard (e.g. from wp setting, etc.)?
Thanks a lot for your time
# Deny brute force access to wp-login.php
location = /wp-login\.php {
limit_req zone=one burst=1 nodelay;
fastcgi_pass unix:/var/run/php7.3-fpm.sock;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Don't cache uris containing the following segments
if ($request_uri ~* "/wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
set $skip_cache 1;
}
# Block wp-admin by IP
location ~* ^/wp-(admin\.php|login\.php|admin/*$|admin/.*\.php) {
deny all;
error_page 403 = @wp_admin_ban;
}
location @wp_admin_ban {
rewrite ^(.*) https://example.com permanent;
}
location /wp-admin/admin-ajax.php {
allow all;
}
You should be able to adjust your regex:
# Block wp-admin by IP
location ~* ^\/wp-(admin\.php|login\.php|admin\/.*|includes\/.*) {
allow 127.0.0.1; # and other IP's...
include common/acl.conf; # a method to share code between locations for blocking by IP.
deny all;
error_page 403 = @wp_admin_ban;
}
Fixed the leading slash, along with wildcarding under admin/* and includes/*.
It doesn't seem to work. I can still go to example.com/wp-admin/index.php and log in from there
There's probably another, more specific rule, in your nginx config that's overriding the regex.
This is the only related code for wp-admin ### Add trailing slash to */wp-admin requests### rewrite /wp-admin$ $scheme://$host$uri/ permanent;