How to hide and protect the WordPress admin URL on an NGINX server

By Jelena Janić Posted Category Guides and resources Topics Security, WordPress,

If you’re running WordPress behind NGINX, you’ve probably considered how to protect admin url wordpress in nginx server. The default admin paths (/wp-admin/, /wp-login.php) are well-known, frequently targeted by bots, brute-force attacks, or automated scans. Leaving them exposed is like leaving the front door to your house wide open. In this post we’ll explain why hiding / protecting the admin URL matters, review common techniques, show concrete NGINX configs, cover trade-offs, gaps many guides miss, and finish with FAQs and a recommendation for plugin-assisted protection.

  • The safest and most complete solution is using a security plugin like AIOS (All-In-One Security), which hides the login URL, adds brute force protection, two-factor authentication, CAPTCHA, and firewall rules, all in one package.
  • If you only need a lightweight option, WPS Hide Login lets you change the login path easily.
  • NGINX-level methods like IP whitelisting and HTTP Basic Auth provide strong server-side control and are excellent extra layers alongside plugins.
  • Some WordPress functionality (AJAX, REST API, mobile apps) may break if not configured carefully. Always test after applying restrictions.
  • Security is about layering protections: strong passwords, regular updates, plugin-based defenses, and server-level hardening together make the login page far harder to attack.

WordPress websites are under constant attack. Attackers know the standard admin paths, try login credentials, exploit login endpoints, or launch brute force attacks until something gets in. Beyond brute force, if the login page is public, it leaks information and invites automated scanning. As a website owner or developer, your aims are:

In this article you’ll learn multiple ways to protect admin url wordpress in nginx server, including: rewrite techniques, IP-whitelisting, basic auth, cookie-or token-based gating, and using plugins. I’ll include examples, pitfalls, and things many how-tos miss (like securing all access paths, preserving AJAX endpoints, handling mobile/dev access, etc.).

Keep bots out of your WordPress login

Exposed admin pages are the easiest way in for brute force attacks. AIOS hides your login, adds two-factor authentication, and blocks repeated login attempts automatically.

Methods to protect admin url in WordPress with NGINX

Section titled Methods to protect admin url in WordPress with NGINX

Below are several techniques. You can combine some of them. Choose what fits your risk profile, team size, infrastructure.

Method What it does Pros Cons / Things to Watch
AIOS (All-In-One Security Plugin) Comprehensive security plugin that hides login URL, limits login attempts, adds 2FA, CAPTCHA, IP blocking, and firewall rules All-in-one solution, easy setup, actively maintained, covers multiple attack vectors beyond login URL Adds a plugin dependency; advanced features may require configuration
WPS Hide Login Plugin Changes /wp-login.php and /wp-admin/ to a custom path, blocking access to default URLs Lightweight, easy to configure, reduces brute force noise Only hides the login URL (no brute force protection or firewall), should be combined with other measures
IP Whitelisting (NGINX) Only allows specific IPs to access /wp-login.php and /wp-admin/ Extremely strong when IPs are static; minimal server load Risk of lockout if your IP changes (e.g. remote work, travel); requires care with AJAX/REST API
HTTP Basic Authentication (NGINX) Adds a server-level username/password prompt before reaching WordPress login Simple to set up, strong additional layer even if login URL is known Adds friction for teams; managing extra credentials; not ideal for large multi-user environments

Below are code examples you can adapt to protect the admin url in nginx server.

1. AIOS (All-In-One Security Plugin)

Section titled 1. AIOS (All-In-One Security Plugin)

AIOS includes a built-in option to rename and hide your login URL. You can enable this under:

WP Admin → AIOS→ Brute Force → Rename Login Page → Enable Rename Login Page Feature

Once enabled, AIOS will replace /wp-login.php with a custom path you choose (e.g. /my-secure-login).

WPS Hide Login also has two simple inputs in Settings → WPS Hide Login where you can choose a custom login URL and a redirection URL.

Restrict access so only trusted IPs can reach /wp-login.php and /wp-admin/:

# Protect wp-login.php
location = /wp-login.php {
    allow 203.0.113.45;      # your static IP
    allow 198.51.100.0/24;   # optional IP range
    deny all;
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}

# Protect wp-admin (but allow AJAX if needed)
location ^~ /wp-admin/ {
    allow 203.0.113.45;
    allow 198.51.100.0/24;
    deny all;
    try_files $uri $uri/ /index.php?$args;
}

# Allow admin-ajax.php (required by front-end features)
location = /wp-admin/admin-ajax.php {
    allow all;
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}

4. HTTP Basic Authentication (NGINX)

Section titled 4. HTTP Basic Authentication (NGINX)

Adds a password gate before WordPress even loads.

Create the password file:

  • sudo apt install apache2-utils
  • htpasswd -c /etc/nginx/.htpasswd adminuser

Then configure NGINX:

# Protect wp-admin with basic auth
location ^~ /wp-admin/ {
    auth_basic "Restricted Admin";
    auth_basic_user_file /etc/nginx/.htpasswd;
    try_files $uri $uri/ /index.php?$args;
}

# Protect wp-login.php with basic auth
location = /wp-login.php {
    auth_basic "Restricted Login";
    auth_basic_user_file /etc/nginx/.htpasswd;
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}

Post-change checklist & troubleshooting

Section titled Post-change checklist & troubleshooting

After implementing one or more methods, verify:

  1. You can still login from all expected access points (home IP, remote, mobile)
  2. AJAX calls that your theme/plugins use aren’t broken. Test common features (comments, forms, etc.)
  3. REST API endpoints you need work (if you rely on f.e. mobile apps)
  4. WordPress cron, XMLRPC etc if needed are configured correctly or blocked if not used
  5. Check error logs for 403, 404, or other access errors to identify unintended blocks
  6. Use tools to scan for exposed login paths

Here are recommendations depending on your situation:

Scenario Use this approach
Single-admin / stable IPs Use AIOS to hide the login URL and add brute force protection. Complement with NGINX IP whitelisting or basic auth for maximum security.
Team of admins from multiple locations Use AIOS with features like 2FA and CAPTCHA. Avoid strict IP whitelisting (since IPs vary). Optionally add HTTP basic auth at the NGINX level.
Clients who want minimal friction Use WPS Hide Login (lightweight login URL change) or AIOS with just the login rename feature enabled. Combine with rate limiting if possible.
High security needed / public facing sites Use AIOS as the foundation (hidden login, brute force protection, 2FA, firewall). Add NGINX hardening (IP restrictions, basic auth) and consider a WAF (Web Application Firewall) for enterprise-grade protection.

Hiding known login paths buys time against automated attacks, but the real defense comes from layering protections at the server level

Jelena Janić – Product Manager

Secure Your WordPress Admin with Ease

Section titled Secure Your WordPress Admin with Ease

Protecting your WordPress login with NGINX rules is powerful, but it can be complex to maintain, especially if you have multiple admins or changing IPs.

That’s why the AIOS (All-In-One Security) plugin is the smarter choice. AIOS makes it simple to:

  • Hide or rename your login URL in a few clicks
  • Block brute force attacks automatically
  • Enable two-factor authentication and CAPTCHA for stronger logins
  • Manage IP restrictions and firewall rules without touching server configs
  • Monitor and log suspicious activity from a single dashboard

Use AIOS for complete, user-friendly protection, and optionally layer NGINX hardening on top for maximum security.

Don’t just hide your login – secure it

Changing the login path is only the first step. AIOS combines URL hiding with complete WordPress security to keep attackers out for good.

Protecting and hiding the WordPress admin URL in an NGINX server is not just about obscurity. It’s about reducing risk, adding friction for attackers, and moving protection as close to the server boundary as possible. Whether you use IP whitelisting, basic auth, token gating, or plugins (or all of them), each layer makes your site harder to attack.

Will hiding or changing the admin URL stop all attacks?

No. It reduces exposure but should be combined with strong passwords, up-to-date plugins/themes, limiting login attempts, WAF, SSL, etc.

What about REST API or AJAX endpoints – will restricting wp-admin break them?

Yes, potentially. Many themes/plugins use admin-ajax.php and REST API endpoints. You’ll need to allow those paths explicitly or test after config changes.

What happens if my IP changes when using IP whitelisting?

You might get locked out. Use a dynamic DNS, VPN, or fallback plan (e.g. basic auth, alternate secret path) to regain access.

Can I rely solely on a plugin to protect my login page?

Yes, especially if you use a robust plugin like AIOS (All-In-One Security). AIOS doesn’t just hide or rename the login URL; it also adds brute force protection, two-factor authentication, CAPTCHA, and firewall rules, giving you a strong all-in-one defense.

That said, server-level protections with NGINX (like IP whitelisting or HTTP Basic Auth) operate earlier in the request chain and can block bad actors before WordPress even loads. For the best security, many site owners use AIOS as the foundation and layer NGINX hardening on top.

About the author

Profile picture of Jelena, the product manager for WP-Optimize

Jelena Janić

Jelena is the Product Manager for UpdraftPlus and WP-Optimize. With seven years of experience, she’s taken on many roles – from tester to developer and now product manager. Along the way, she noticed a disconnect between how products are built and what customers need, sparking a passion for steering products toward solutions that truly serve the people who use them. Today, she ensures every WP-Optimize development decision is geared toward boosting WordPress website performance, enhancing usability, and increasing customer satisfaction.

AIOS

Comprehensive, feature-rich, security for WordPress. Malware scanning, firewall, an audit log and much more. Powerful, trusted and easy to use.

From just $70 for the year.

More stories

Our plugins

Try TeamUpdraft’s full suite of WordPress plugins.

  • UpdraftPlus

    Back up, restore and migrate your WordPress website with UpdraftPlus

  • WP-Optimize

    Speed up and optimize your WordPress website. Cache your site, clean the database and compress images

  • UpdraftCentral

    Centrally manage all your WordPress websites’ plugins, updates, backups, users, pages and posts from one location

  • Burst Statistics

    Privacy-friendly analytics for your WordPress site. Get insights without compromising your visitors’ privacy