How to enable IP access restrictions on wp-admin for the WordPress on App Service offering

The below guide walks through configuring IP access restrictions on wp-admin for the WordPress on App Service offering.

1. Using the SSH console, copy /etc/nginx/conf.d/default.conf to /home/dev/default.conf

The SSH console can be accessed from here: WEBAPP-NAME.scm.azurewebsites.net/webssh/host

cp /etc/nginx/conf.d/default.conf /home/dev/default.conf

2. Edit /home/dev/default.conf to use the X-Forwarder-For header and add a location block for wp-login.php

You can edit the file using the Kudu newui file manager which can be accessed from here: WEBAPP-NAME.scm.azurewebsites.net/newui/fileManager#

set_real_ip_from 0.0.0.0/0;
real_ip_header X-Forwarded-For;

location ~* wp-login\.php {
            allow <YOUR-IP>;
            deny all;
            
            #Copied from the existing PHP location block
            include fastcgi.conf;
            include fastcgi_params;
            fastcgi_intercept_errors on;
            fastcgi_pass php;

            fastcgi_read_timeout 300;
            fastcgi_cache_bypass $skip_cache;
            fastcgi_no_cache $skip_cache;
            fastcgi_cache off;
            fastcgi_cache_valid 60m;     
}

3. Update /home/dev/startup.sh with the below snippet

#!/bin/sh
	
cp /home/dev/default.conf /etc/nginx/conf.d/default.conf 
	
/usr/sbin/nginx -s reload

4. Point to /home/dev/startup.sh in the App Service portal under configuration –> general settings. Saving the changes will restart the App Service.

5. Test the access using different devices to ensure the IP access restrictions are applied.

Articles of Note:

• Create a WordPress site
• WordPress Best Practices for Security
• WordPress Best Practices for Performance