How to hide and protect the WordPress admin URL on an NGINX server

If you’re running WordPress behind NGINX, you’ve probably considered how to protect admin url wordpress in nginx server. The default admin paths (/wp-admin/, /wp-login.php) are well-known, frequently targeted by bots, brute-force attacks, or automated scans. Leaving them exposed is like leaving the front door to your house wide open. In this post we’ll explain why hiding / protecting the admin URL matters, review common techniques, show concrete NGINX configs, cover trade-offs, gaps many guides miss, and finish with FAQs and a recommendation for plugin-assisted protection.

• The safest and most complete solution is using a security plugin like AIOS (All-In-One Security), which hides the login URL, adds brute force protection, two-factor authentication, CAPTCHA, and firewall rules, all in one package.
• If you only need a lightweight option, WPS Hide Login lets you change the login path easily.
• NGINX-level methods like IP whitelisting and HTTP Basic Auth provide strong server-side control and are excellent extra layers alongside plugins.
• Some WordPress functionality (AJAX, REST API, mobile apps) may break if not configured carefully. Always test after applying restrictions.
• Security is about layering protections: strong passwords, regular updates, plugin-based defenses, and server-level hardening together make the login page far harder to attack.

WordPress websites are under constant attack. Attackers know the standard admin paths, try login credentials, exploit login endpoints, or launch brute force attacks until something gets in. Beyond brute force, if the login page is public, it leaks information and invites automated scanning. As a website owner or developer, your aims are:

• Reduce the surface area exposed to unauthorised access
• Prevent or slow down brute force or automated attacks
• Add extra layers (IP restrictions, authentication) so even if someone discovers the admin URL, they can’t get in easily

In this article you’ll learn multiple ways to protect admin url wordpress in nginx server, including: rewrite techniques, IP-whitelisting, basic auth, cookie-or token-based gating, and using plugins. I’ll include examples, pitfalls, and things many how-tos miss (like securing all access paths, preserving AJAX endpoints, handling mobile/dev access, etc.).

Below are several techniques. You can combine some of them. Choose what fits your risk profile, team size, infrastructure.

Below are code examples you can adapt to protect the admin url in nginx server.

AIOS includes a built-in option to rename and hide your login URL. You can enable this under:

WP Admin → AIOS→ Brute Force → Rename Login Page → Enable Rename Login Page Feature

Once enabled, AIOS will replace /wp-login.php with a custom path you choose (e.g. /my-secure-login).

WPS Hide Login also has two simple inputs in Settings → WPS Hide Login where you can choose a custom login URL and a redirection URL.

Restrict access so only trusted IPs can reach /wp-login.php and /wp-admin/:

# Protect wp-login.php
location = /wp-login.php {
    allow 203.0.113.45;      # your static IP
    allow 198.51.100.0/24;   # optional IP range
    deny all;
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}

# Protect wp-admin (but allow AJAX if needed)
location ^~ /wp-admin/ {
    allow 203.0.113.45;
    allow 198.51.100.0/24;
    deny all;
    try_files $uri $uri/ /index.php?$args;
}

# Allow admin-ajax.php (required by front-end features)
location = /wp-admin/admin-ajax.php {
    allow all;
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}

Adds a password gate before WordPress even loads.

Create the password file:

• sudo apt install apache2-utils
• htpasswd -c /etc/nginx/.htpasswd adminuser

Then configure NGINX:

# Protect wp-admin with basic auth
location ^~ /wp-admin/ {
    auth_basic "Restricted Admin";
    auth_basic_user_file /etc/nginx/.htpasswd;
    try_files $uri $uri/ /index.php?$args;
}

# Protect wp-login.php with basic auth
location = /wp-login.php {
    auth_basic "Restricted Login";
    auth_basic_user_file /etc/nginx/.htpasswd;
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}

After implementing one or more methods, verify:

1. You can still login from all expected access points (home IP, remote, mobile)
2. AJAX calls that your theme/plugins use aren’t broken. Test common features (comments, forms, etc.)
3. REST API endpoints you need work (if you rely on f.e. mobile apps)
4. WordPress cron, XMLRPC etc if needed are configured correctly or blocked if not used
5. Check error logs for 403, 404, or other access errors to identify unintended blocks
6. Use tools to scan for exposed login paths

Here are recommendations depending on your situation:

Hiding known login paths buys time against automated attacks, but the real defense comes from layering protections at the server level

Protecting your WordPress login with NGINX rules is powerful, but it can be complex to maintain, especially if you have multiple admins or changing IPs.

That’s why the AIOS (All-In-One Security) plugin is the smarter choice. AIOS makes it simple to:

• Hide or rename your login URL in a few clicks
• Block brute force attacks automatically
• Enable two-factor authentication and CAPTCHA for stronger logins
• Manage IP restrictions and firewall rules without touching server configs
• Monitor and log suspicious activity from a single dashboard

Use AIOS for complete, user-friendly protection, and optionally layer NGINX hardening on top for maximum security.

Protecting and hiding the WordPress admin URL in an NGINX server is not just about obscurity. It’s about reducing risk, adding friction for attackers, and moving protection as close to the server boundary as possible. Whether you use IP whitelisting, basic auth, token gating, or plugins (or all of them), each layer makes your site harder to attack.