WordPress is gaining in popularity and therefore the number of attacks specific to WordPress keep increasing. I manage servers for some political websites which get attacked relentlessly so that means I get to create new firewall rules and rate limiting directives to help keep the site running – very fun!
Recently this site was being attacked by a bot that was trying different wp-admin requests as a DoS attack (Denial of Service) that were nonsense like wp-admin/1 wp-admin/?herp which of course, all bypass any server-side caching I had configured and were being executed to quickly that it was sucking up tons of resources on the dedicated server. In this post you will learn how to protect the wp-admin of any WordPress or WooCommerce site using nginx rate-limiting. I recommend coupling this with fail2ban as well as outlined here.
Throttle wp-admin Attacks with nginx Rate Limiting
In the http { block you add this directive so nginx has a zone for your rate limiting throttle to protect the WordPress admin area in wp-admin with this directive. I add this in /etc/nginx/nginx.conf on Ubuntu and Debian systems.
Now we add the protection to the virtual host file typically located in the/etc/nginx/sites-available folder In the server { we need to add this block to handle the wp-admin requests with PHP and also make sure the throttle zone is active there too. If you have a large amount of legitimate wp-admin requests you may have to increase the burst value higher than 3 (in burst=3 below).
If this part is not done correctly for the wp-admin protection you may get a 502 bad gateway error or a File not found error from nginx, the block below should fix this for you. Make sure to use the correct fastcgi_pass parameter which you can find in your location ~ \.php$ { block.
You will need to reload nginx after applying these changes
Now make sure to browse around your wp-admin area to make sure it works 🙂