PHP downloads instead of being served

Discussion in 'ISPConfig 3 Priority Support' started by molahs, Apr 26, 2021.

  1. molahs

    molahs Member HowtoForge Supporter

    I made some changes in Options tab, nginx Directives, to restrict access to wordpress wp-login.php as follows
    location / {
    try_files $uri $uri/ /index.php?$args;
    location ~ ^/wp-login.php {
    allow 1.2.4.5;
    allow 11.22.33.44;
    deny all;
    access_log off;
    log_not_found off;
    }
    }​
    When i visit the ..../wp-admin/ page, the wp-login.php file downloads instead of being executed.

    I also tried using this in ths nginx Directives
    location ~ ^/(wp-admin|wp-login.php) {​
    try_files $uri $uri/ /index.php?$args;
    index index.php;
    allow 1.2.4.5;
    allow 11.22.33.44;
    deny all;
    }
    which works for blocking access to /wp-admin/, but if someone enters ..../wp-login.php they still see the login screen.

    The reason for the IP lock is that some of the sites I host are constantly being attacked and I want to reduce the attack surface. I have other protection like wordfence etc.

    But would love to be able to block certain sections of the site using ip addresses
    Thanks in advance
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You should allow access to wp-ajax.php, most plugins and themes will break with that blocked.
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I don't use NGINX, but I think you would have to add some fastcgi variables for this block.
    I think it would be better to use a WordPress plugin to restrict access to certain IP's, I think WordFence has such a option: https://www.wordfence.com/help/firewall/options/
    (and if not, there will be plenty plugins that do)
     
  4. molahs

    molahs Member HowtoForge Supporter

    I am just restricting access to the login page, not the whole site, so this should work exactly like I plan to, as soon as I can figure out why the php downloads and not execute
     
  5. molahs

    molahs Member HowtoForge Supporter

    Problem is that I have many websites and wordfence is cost prohibitive. I can block access to /wp-admin/ without a problem, but these automated systems access wp-login.php directly.
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    https://wordpress.org/plugins/secure-admin-ip/
     
  7. molahs

    molahs Member HowtoForge Supporter

Share This Page