RT Cunningham


WordPress Login Security with Nginx and the Jetpack Plugin

login security There are dozens of plugins that are supposed to offer WordPress login security. Most of them are obsolete. The “Protect” module in the Jetpack plugin is the best of the bunch, specifically designed to stop brute force login attempts.

Nginx can augment the login security the Jetpack plugin offers, but only for people who have access to the configuration files. The instructions I’m offering only pertain to you if you’re one of those people.

WordPress Login Security and the Jetpack Protect Module

The Protect module started as an independent service. It blocked more than a hundred million attacks across more than 100,000 websites before it was acquired by Automattic in August of 2014. The way it works is if any single IP has too many failed attempts in a short period, it’s blocked from logging in to any website with the same module activated.

Since it’s possible to accidentally block yourself, especially when you have Internet connection issues, you have to white list your IP address (or addresses) in the module. You probably don’t have a static IP address, so putting in the subnet that covers your IP address is a good idea.

While this module will protect your from brute force login attempts, it won’t stop someone from trying once an hour for days at a time. Some hackers have nothing but time on their hands.

WordPress Login Security and Nginx

With Nginx, you can restrict the login page and the admin area itself to the same subnet. You can do it with the Nginx geo module and a few lines of code in the main configuration file (nginx.conf) and then a few lines in your virtual host (“server”) configuration file. See my article on an application firewall to see the code.

That code won’t stop someone from trying once an hour for days at a time either. What they will do is narrow the places the attacks can come from.

You can’t use that Nginx code if your website allows registrations and logins from anywhere in the world, but there’s some other code you can use with the Nginx limit request module. Use this in your main configuration file:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

Use this corresponding code in your virtual host configuration file:

location = /wp-login.php {
    limit_req zone=one burst=1 nodelay;

What this does is keep anyone from trying to login more than once per second. Some bots will do that and so will stuck keys.

WordPress Login Security and non-WordPress Websites

The Jetpack Protect module may or may not be ported to other platforms. The Nginx modules work with all of them. Only the admin area directory and login page names differ.

Share: Facebook | Twitter

By RT Cunningham
August 15, 2016
Web Development