Recently, fail2ban has ceased to protect normally from brute force on wordpress , because ip is unique in every request and blocking every address is meaningless.
Since such nonsense, I decided to restrict access to the wp-login.php file by ip. There is one nuance here: for the location specified in the nginx configuration file, you need to add a script handler when using php-fpm .
As a result, the design looks like this:
server {
...
location ~ * wp-login \ .php $ {
allow 127.0.0.1;
deny all;
try_files $ uri = 404;
fastcgi_pass unix: /run/php-www.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $ document_root $ fastcgi_script_name;
fastcgi_ignore_client_abort off;
fastcgi_param PHP_VALUE "sendmail_path = / usr / sbin / sendmail -t -i -fmail@example.com";
fastcgi_param PHP_ADMIN_VALUE "open_basedir = / var / www / example.com /: / var / save_path /: / var / tmp_dir /";
}
...
} Now bots get error 403 instead of login page. Only this method is not very universal - if there is a user registration on the site, it will not work.
But if you are the only user, then you can connect a fantasy, and instead of access via ip, make access by user-agent, by password ...
How do you rate the article?
(No ratings yet)
Loading...
(No ratings yet) Loading...