Block xmlrpc.php and wp-login.php via NGINX

You can block xmlrpc.php and wp-login.php via NGINX with the configurations below, what’s good about this approach is that it prevents brute force attacks at the NGINX server level without any PHP/MySQL resources being used.

xmlrpc.php for NGINX

location = /xmlrpc.php {
    deny all;
}

To allow JetPacks IP addresses through adjust the config to allow certain IPs

location = /xmlrpc.php {
    allow 192.0.64.0/18;
    allow 64.34.206.0/24;
    allow 198.181.116.0/22;
    allow 66.155.105.128/26;
    allow 69.90.253.0/24;
    allow 76.74.248.128/25;
    allow 76.74.255.0/25;
    allow 2001:1978:1e00:3::/64;
    allow 2620:115:c000::/40;
    deny all;
}

wp-login.php for NGINX

You would want to allow at least 1 IP address for backend access…

location ~ \.php$ {
  location ~ \wp-login.php$ {
    allow 1.2.3.4;
    deny all;
    include fastcgi.conf;
    fastcgi_intercept_errors on;
    fastcgi_pass unix:/var/run/appname.sock;
  }
  include fastcgi.conf;
  fastcgi_intercept_errors on;
  fastcgi_pass  unix:/var/run/appname.sock;
}

The above rule for blocking wp-login.php is working on a RunCloud instance. RunCloud uses the app name as the virtual NGINX sock file, you will need to change this to the appropriate web host.

If you wanted to allow more IP addresses just add additional allow lines.

Test your new config by tailing the error log…

tail -f /home/<user>/logs/nginx/webapp_error.log

Visit the xmlrpc.php and wp-login.php via IP addresses not allowed to see a 403 error.

Ref