How to hide and protect the WordPress admin URL on an NGINX server
If you’re running WordPress behind NGINX, you’ve probably considered how to protect admin url wordpress in nginx server. The default admin paths (/wp-admin/
, /wp-login.php
) are well-known, frequently targeted by bots, brute-force attacks, or automated scans. Leaving them exposed is like leaving the front door to your house wide open. In this post we’ll explain why hiding / protecting the admin URL matters, review common techniques, show concrete NGINX configs, cover trade-offs, gaps many guides miss, and finish with FAQs and a recommendation for plugin-assisted protection.
Key Takeaways
Section titled Key Takeaways- The safest and most complete solution is using a security plugin like AIOS (All-In-One Security), which hides the login URL, adds brute force protection, two-factor authentication, CAPTCHA, and firewall rules, all in one package.
- If you only need a lightweight option, WPS Hide Login lets you change the login path easily.
- NGINX-level methods like IP whitelisting and HTTP Basic Auth provide strong server-side control and are excellent extra layers alongside plugins.
- Some WordPress functionality (AJAX, REST API, mobile apps) may break if not configured carefully. Always test after applying restrictions.
- Security is about layering protections: strong passwords, regular updates, plugin-based defenses, and server-level hardening together make the login page far harder to attack.
Why Should You Hide The Admin URL
Section titled Why Should You Hide The Admin URLWordPress websites are under constant attack. Attackers know the standard admin paths, try login credentials, exploit login endpoints, or launch brute force attacks until something gets in. Beyond brute force, if the login page is public, it leaks information and invites automated scanning. As a website owner or developer, your aims are:
- Reduce the surface area exposed to unauthorised access
- Prevent or slow down brute force or automated attacks
- Add extra layers (IP restrictions, authentication) so even if someone discovers the admin URL, they can’t get in easily
In this article you’ll learn multiple ways to protect admin url wordpress in nginx server, including: rewrite techniques, IP-whitelisting, basic auth, cookie-or token-based gating, and using plugins. I’ll include examples, pitfalls, and things many how-tos miss (like securing all access paths, preserving AJAX endpoints, handling mobile/dev access, etc.).
Keep bots out of your WordPress login
Exposed admin pages are the easiest way in for brute force attacks. AIOS hides your login, adds two-factor authentication, and blocks repeated login attempts automatically.
Methods to protect admin url in WordPress with NGINX
Section titled Methods to protect admin url in WordPress with NGINXBelow are several techniques. You can combine some of them. Choose what fits your risk profile, team size, infrastructure.
Example NGINX configurations
Section titled Example NGINX configurationsBelow are code examples you can adapt to protect the admin url in nginx server.
1. AIOS (All-In-One Security Plugin)
Section titled 1. AIOS (All-In-One Security Plugin)AIOS includes a built-in option to rename and hide your login URL. You can enable this under:
WP Admin → AIOS→ Brute Force → Rename Login Page → Enable Rename Login Page Feature
Once enabled, AIOS will replace /wp-login.php
with a custom path you choose (e.g. /my-secure-login
).
2. WPS Hide Login Plugin
Section titled 2. WPS Hide Login PluginWPS Hide Login also has two simple inputs in Settings → WPS Hide Login where you can choose a custom login URL and a redirection URL.
3. IP Whitelisting (NGINX)
Section titled 3. IP Whitelisting (NGINX)Restrict access so only trusted IPs can reach /wp-login.php
and /wp-admin/
:
# Protect wp-login.php
location = /wp-login.php {
allow 203.0.113.45; # your static IP
allow 198.51.100.0/24; # optional IP range
deny all;
include fastcgi_params;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
# Protect wp-admin (but allow AJAX if needed)
location ^~ /wp-admin/ {
allow 203.0.113.45;
allow 198.51.100.0/24;
deny all;
try_files $uri $uri/ /index.php?$args;
}
# Allow admin-ajax.php (required by front-end features)
location = /wp-admin/admin-ajax.php {
allow all;
include fastcgi_params;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
4. HTTP Basic Authentication (NGINX)
Section titled 4. HTTP Basic Authentication (NGINX)Adds a password gate before WordPress even loads.
Create the password file:
- sudo apt install apache2-utils
- htpasswd -c /etc/nginx/.htpasswd adminuser
Then configure NGINX:
# Protect wp-admin with basic auth
location ^~ /wp-admin/ {
auth_basic "Restricted Admin";
auth_basic_user_file /etc/nginx/.htpasswd;
try_files $uri $uri/ /index.php?$args;
}
# Protect wp-login.php with basic auth
location = /wp-login.php {
auth_basic "Restricted Login";
auth_basic_user_file /etc/nginx/.htpasswd;
include fastcgi_params;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
Post-change checklist & troubleshooting
Section titled Post-change checklist & troubleshootingAfter implementing one or more methods, verify:
- You can still login from all expected access points (home IP, remote, mobile)
- AJAX calls that your theme/plugins use aren’t broken. Test common features (comments, forms, etc.)
- REST API endpoints you need work (if you rely on f.e. mobile apps)
- WordPress cron, XMLRPC etc if needed are configured correctly or blocked if not used
- Check error logs for 403, 404, or other access errors to identify unintended blocks
- Use tools to scan for exposed login paths
Which method to choose
Section titled Which method to chooseHere are recommendations depending on your situation:
Hiding known login paths buys time against automated attacks, but the real defense comes from layering protections at the server level
Secure Your WordPress Admin with Ease
Section titled Secure Your WordPress Admin with EaseProtecting your WordPress login with NGINX rules is powerful, but it can be complex to maintain, especially if you have multiple admins or changing IPs.
That’s why the AIOS (All-In-One Security) plugin is the smarter choice. AIOS makes it simple to:
- Hide or rename your login URL in a few clicks
- Block brute force attacks automatically
- Enable two-factor authentication and CAPTCHA for stronger logins
- Manage IP restrictions and firewall rules without touching server configs
- Monitor and log suspicious activity from a single dashboard
Use AIOS for complete, user-friendly protection, and optionally layer NGINX hardening on top for maximum security.
Don’t just hide your login – secure it
Changing the login path is only the first step. AIOS combines URL hiding with complete WordPress security to keep attackers out for good.
Conclusion
Section titled ConclusionProtecting and hiding the WordPress admin URL in an NGINX server is not just about obscurity. It’s about reducing risk, adding friction for attackers, and moving protection as close to the server boundary as possible. Whether you use IP whitelisting, basic auth, token gating, or plugins (or all of them), each layer makes your site harder to attack.
FAQs
Section titled FAQsWill hiding or changing the admin URL stop all attacks?
No. It reduces exposure but should be combined with strong passwords, up-to-date plugins/themes, limiting login attempts, WAF, SSL, etc.
What about REST API or AJAX endpoints – will restricting wp-admin break them?
Yes, potentially. Many themes/plugins use admin-ajax.php and REST API endpoints. You’ll need to allow those paths explicitly or test after config changes.
What happens if my IP changes when using IP whitelisting?
You might get locked out. Use a dynamic DNS, VPN, or fallback plan (e.g. basic auth, alternate secret path) to regain access.
Can I rely solely on a plugin to protect my login page?
Yes, especially if you use a robust plugin like AIOS (All-In-One Security). AIOS doesn’t just hide or rename the login URL; it also adds brute force protection, two-factor authentication, CAPTCHA, and firewall rules, giving you a strong all-in-one defense.
That said, server-level protections with NGINX (like IP whitelisting or HTTP Basic Auth) operate earlier in the request chain and can block bad actors before WordPress even loads. For the best security, many site owners use AIOS as the foundation and layer NGINX hardening on top.
About the author

Jelena Janić
Jelena is the Product Manager for UpdraftPlus and WP-Optimize. With seven years of experience, she’s taken on many roles – from tester to developer and now product manager. Along the way, she noticed a disconnect between how products are built and what customers need, sparking a passion for steering products toward solutions that truly serve the people who use them. Today, she ensures every WP-Optimize development decision is geared toward boosting WordPress website performance, enhancing usability, and increasing customer satisfaction.
Categories
AIOS
Comprehensive, feature-rich, security for WordPress. Malware scanning, firewall, an audit log and much more. Powerful, trusted and easy to use.
From just $70 for the year.
More stories
-
WordPress analytics 101: How to track and understand your website traffic
Understanding your website traffic doesn’t have to be complex. In this beginner-friendly guide to WordPress analytics, we cover why tracking matters, which metrics to watch, and how tools like Burst Statistics make it simple and privacy-friendly.
-
How to delete a database in phpMyAdmin (safely and correctly)
Need to delete a WordPress database? This guide shows how to use phpMyAdmin to delete a database, what to do if your host disables it, and safe backup steps before you click “DROP.”
-
How to test WordPress themes and plugins without going live
Want to switch themes or test a new plugin? Learn how to test a WordPress theme without going live using staging sites, local installs, or plugins like UpdraftClone.
-
Hardening WordPress against spam and brute force attacks
Protect your WordPress site from brute force attacks and spam with layered security, smart tools, and proven best practices.