With the recent news of a big botnet that attacks WordPress websites via wp-login.php was it time to prepare myself for the attack. wp.login.php is an uncached page that uses PHP resources which can slow down your website or cause errors.
My resolution: restrict access to wp-login.php with nginx. I’m only allowing the IP addresses that I can trust and anyone else will receive a 403 Forbidden error!
location ~* /wp-login.php$ {
allow INSERTYOURIPADDRESSHERE;
deny all;
# These lines are here to make sure that the page is loaded correctly after your IP has been verified. Change them to your own settings.
fastcgi_keep_conn on;
include fastcgi_params;
try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_intercept_errors on;
# By all means use a different server for the fcgi processes if you need to
proxy_set_header Proxy-Connection "";
fastcgi_pass php5-fpm;
}