This is a really simple fix which will block the user enumeration on a wordpress site (like the method by wpscan).
Before I get into this, I am very well aware of the IfIsEvil page on nginx wiki. But it also says on this page, “The only 100% safe things which may be done inside if in location context are: return and rewrite as the last statement in a location block” With that in mind, we are going to use ONLY rewrite as the last statement in our location block.
Some of the posts I am seeing on the internet regarding the wordpress password crack via botnet is pretty funny as various people offer suggestions to fix the problem. The quickest fix is simple and although it protects the wp-admin page, it wont protect you from the inbound traffic or sql injection.
This is just a quick note on how to password protect wp-admin using nginx.
You may have to fiddle with the location of the lines in the site.conf file.
Where I thought the config variables needed to go, gave me a “download file” of type bin in nginx after authentication.
So, here is how I did it:
server {
listen 80;
server_name domain.com www.domain.com;
access_log /logs/domain.com-access.log;
error_log /logs/domain.com-error.log;
root /var/www/sites/domain.com/htdocs;
location / {
try_files $uri $uri/ /index.php?q=$request_uri;
}
include /usr/nginx/conf/staticfiles.conf;
include /usr/nginx/conf/php.conf;
include /usr/nginx/conf/drop.conf;
# password protect wp-admin
location ~ ^/wp-admin {
auth_basic “Restricted”;
auth_basic_user_file /path/to/htpasswd/file;
try_files $uri $uri/ /index.php?q=$request_uri;
}
}