How to restrict WAN access for Wordpress /wp-admin ?

[BHuck74]

Dear all,

I've a wordpress instance running on Docker, behind a Nginx proxy manager also hosted on Docker.
I would like to prevent WAN users to connect to the workdpress wp-admin page, thus only allowing this access from the LAN.
I've added the following section in the Advanced section of the proxy host configuration :

location ~ ^/(wp-admin|wp-login.php) {   allow 192.168.1.254;   deny all; }

Unfortunately this leads to a 404 - Not Found page... I've just no idea how I could do that...

Any help would be much appreciated!

[Flothoger]

You are getting a 404 because you do not specify where the proxy traffic should go.
Try:

location ~ /(wp-admin|wp-login.php) {
   proxy_pass http://<WP-SERVER-IP>;
   allow 192.168.1.254;
   deny all;
}

If you want to grant access not only to 192.168.1.254 but to your whole local network, you can add: allow 192.168.1.0/24;

^ Is also not needed because it just causes regular expressions not being checked.
For more information: Nginx documentation for location

If you are blocking by local IP's: be sure to forward your FQDN inside your local DNS to Nginx Proxy Manager. If that is not possible, you need to allow your public IP instead (only makes sense if you have a static public IP).

[nickelswitte]

Hello,
would it be possible to evoke a basic HTTP auth request with user and password?
Some other tools like plesk offer such password protection on directories.

[Flothoger]

I guess you can do that. Also use of authentication services like Authentik would be possible. Just take a look at the docs basic auth should be pretty well documented. Use of a custom location for basic auth would look something like this:

location /protected {
    auth_basic "Restricted Access";
    auth_basic_user_file /config/nginx/.htpasswd;

    proxy_pass $forward_scheme://$server:$port;
}

[HanSyt]

@Flothoger
Jan 12 14:49:44 smtp nginx[15060]: 2025/01/12 14:49:44 [emerg] 15060#15060: "proxy_pass" cannot have URI part in location given by regular expressio>
Jan 12 14:49:44 smtp nginx[15060]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 12 14:49:44 smtp systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE

It seems that proxy_pass cannot be used twice

In the image I tried to have to set the uplink first, no no success

However, this seems to be working, you can use the login form but coming in wp-admin sends you to not found

And finally

wp-login also only accessible from local subnet

[Flothoger]

"proxy_pass" cannot have URI part in location given by regular expressio>

Yeah, thats correct. The location: location ~ /(wp-admin|wp-login.php) includes regex so you cannot have URI in the proxy_pass. This happens because you have specified proxy_pass https://192.168.1.5/; when you should have specified proxy_pass https://192.168.1.5; . In your picture you just rewrote the regex to two different locations.

In my prod environment I also changed my rgex to also include wp-cron, just as a precaution:
~ /(wp-admin|wp-login|wp-cron\.php)

Limiting the methods to GET HEAD and POST is also a good idea.

Anyways, great to hear that you have your nginx with advanced config working now.