How to Secure Website Admin Page by Nginx Setting Using VPN

I have a VPS server hosting the current wordpress blog site and recently launched another django application on another server. When I check nginx logs I find a lot of malicious requests from a vast variety of sources all over the globe, and they all go to /wp-login.php page, which is where the admin panel resides. There are a number of wordpress plugins out there to prevent unauthorized people from logging into the admin panel. They are great but just don’t provide the level of security I want, so I turned into looking for methods of  setting up nginx to prevent undesired traffic. My idea is to setup a VPN server on a VPS and tell nginx to only allow requests to admin page from that VPN server.

The VPN solution I’m using is Shadowsocks, which is a open-source lightweight socks5 proxy. It is easy to setup and use and runs fast. Unfortunately the original repo has been emptied by the author clowwindy, but there are some backup repos.

Then add a block like below in nginx virtual host config file usually under /etc/nginx/sites-available/:

 

Then every time I want to post a new blog, I can connect to that VPN server using a shadowsocks client and login from there, otherwise I will get a 403 forbidden error. There are different shadowsocks clients for different platforms like iOS, macOS, Android, Linux. I think this same idea applies to django application at /admin, too.

Leave a Reply

Your email address will not be published. Required fields are marked *