Protect wp-login.php and wp-comments-post.php on nginx

This is the post in series of making your server 50-90% faster just with few tips, saving your server load, improving page load speed and seo, and also saving lots of $ on upgrading the hosting server.

Why to protect wp-login.php and wp-comments-post.php on WordPress?

WordPress is an amazing and widely used platform for blogging and websites. However, this wide use means more criminals (so called hackers, script kiddies) trying to mess with your WordPress blog or site.

For this purpose, they simply use brute force to attempt logging into your blog. The easiest way is to set brute force on wp-login.php

Similarly, the spammers use wp-comments-post.php to spam on your blog via bots.

This first of all means you’re vulnerable to hack attempt, secondly, it means you will be having constant load on your server.

No matter what you think or assume, your blog is under constant attack of these bots and script kiddies. So by blocking access to wp-login.php and wp-comments-post.php you can not only secure your WordPress site, but also prevent useless load on your server.

Before proceeding: Install Theme My login plugin

This step is crucial. Install theme my login plugin (or any other if you want, but I have checked this one only) otherwise you’ll be locked out of the WordPress admin panel forever, and will need to remove the code added below to access login again.

How to protect WordPress wp-login.php and wp-comments-post.php on nginx

To protect these files on nginx, you need to simply give instructions to nginx via nginx.conf file.

In my setup, I have typical nginx installation with customized default settings on ubuntu. Then each site has its own configuration files in /etc/nginx/sites-available/ with file names.

Backup your nginx configuration file

Copy and backup your current configuration file. Keep the copied file on your local computer along with server by renaming it with date like:

We’ll be making changes to the nginx settings specific to the sites, you might need to do the same for all the WordPress based sites on your server.

Add settings to site specific nginx file

Open the site specific configuration file on nginx and paste this code in it (inside  “server” block):

server {

// all other nginx conf remains same, simply add this block inside server one

        location ~* (wp-comments-posts|wp-login)\.php$ {
                if ($http_referer !~ ^( ) {
                  return 405;

Don’t forget to change the “” to your website name for which you want wp-login.php and wp-comments-posts.php blocked.

Save and close the configuration file.

Restart the server.

If you have any difficulty or any sort of query, feel free to ask me!

Let me know if you want me to do this on your server too!

5 comments on “Protect wp-login.php and wp-comments-post.php on nginx

  1. Hi,
    I have had problems with unauthorized access to my iPhone 6 +. I have the phone password protected and fingerprint access turned on.
    However, one of my “friends” can force themselves past these access protectors.
    Please share your knowledge of a way that I can lock down my phone more securely. Thank you.

Leave a Reply

Your email address will not be published.