Rate limit access to wp-login.php to block against brute force attacks

Keywords: WordPress + NGINX + SSL - AWS - How to - Application configuration

Description:
Greetings everyone.

I am interested in tightening up security a bit as I have noticed lots of activity in the access/error logs.

I would like to use this code within the nginx-app.conf file:

# Deny access to wp-login.php
location = /wp-login.php {
    limit_req zone=one burst=1 nodelay;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    #fastcgi_pass 127.0.0.1:9000;
}

Yet I am unsure how to write it correctly. I tried it as is and encountered an error. I deleted it and removed the error but would like to go back and enable this option.

Can someone offer some insight?

Hi @avanzate1,

What’s the error you got?

Can you share the entire content of the file so we can review it?

Thanks

This is the current state content after I removed the above code:

index index.php index.html index.htm;

if ($request_uri !~ "^/phpmyadmin.*$")
{
set $test  A;
}
if ($request_uri !~ "^/bitnami.*$")
{
set $test  "${test}B";
}
if (!-e $request_filename)
{
set $test  "${test}C";
}
if ($test = ABC) {
 rewrite ^/(.+)$ /index.php?q=$1 last;
}

# Deny access to any files with a .php extension in the uploads directory
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}

# Disable logging for not found files and access log for the favicon and robots
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

# Deny access to xml-rpc
location ~* ^/xmlrpc.php$ {
deny all;
}

# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;
}


# Deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
deny all;
}

include "/home/bitnami/wordpresspro/apps/bitnami/banner/conf/banner-substitutions.conf";
include "/home/bitnami/wordpresspro/apps/bitnami/banner/conf/banner.conf";

# Deny all attempts to access hidden files such as .htaccess or .htpasswd.
location ~ /\. {
deny all;
}

 location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_read_timeout 300;
fastcgi_pass unix:/home/bitnami/wordpresspro/php/var/run/www.sock;
fastcgi_index index.php;
fastcgi_param  SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}

I decided to modify the initial code with the /php/var/run as already stated above toward the end.
Here is what I just tried:

# Deny access to wp-login.php
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
fastcgi_pass unix:/home/bitnami/wordpresspro/php/var/run/www.sock;
#fastcgi_pass 127.0.0.1:9000;
}

Same error:

  nginx: [emerg] zero size shared memory zone "one"
 /home/bitnami/wordpresspro/nginx/scripts/ctl.sh: 77: [: Illegal number: 
 /home/bitnami/wordpresspro/nginx/scripts/ctl.sh : Nginx could not be started

I also tried another method that did not issue any errors. I added: (to the nginx.conf)

http {
 limit_req_zone $binary_remote_addr zone=wordpresslogin:10m rate=15r/m;
 limit_req_status 429;
 }

And also added: (to the nginx-app.conf)
Screenshot (656)

 location = /wp-login.php {
 limit_req zone=wordpress;
 }

In this case, no errors but when I refreshed my login page, the wp-login.php file would download to my computer. I assume something is wrong so I set everything back as it was. Any input?

Hi @avanzate1,

This should work:

  • Edit the nginx-app.conf file to look like this
...
# Deny access to wp-login.php
location = /wp-login.php {
     limit_req zone=one burst=1 nodelay;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_read_timeout 300;
    fastcgi_pass unix:/home/bitnami/wordpresspro/php/var/run/www.sock;
    fastcgi_index index.php;
    fastcgi_param  SCRIPT_FILENAME $request_filename;
    include fastcgi_params;
}

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_read_timeout 300;
    fastcgi_pass unix:/home/bitnami/wordpresspro/php/var/run/www.sock;
    fastcgi_index index.php;
    fastcgi_param  SCRIPT_FILENAME $request_filename;
    include fastcgi_params;
}
  • Restart nginx and access the wp-login.php webpage.

Does it work?

Happy to help!


Was my answer helpful? Click on :heart:

1 Like

Awesome!!! I tried other codes all afternoon. This is great. I appreciate it so much.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.