Testing my security WP nginx config - please feedback

I would like to know if anyone sees a problem with my setup

I host the sites on a VPS with the latest version of nginx and PHP7-FPM. I have iptables blocking all incomming TCP ports except for 80 and 443. The nginx virtualhosts I have configured so that only index.php can be acceced over the web, all other php files return a 444 error. I have open_base dir restriction with file upload disabled.

The sites listen on ports 80, 443 and a hidden port that is firewalled and only open to me. In wp-config I have enabled Force administration over SSL. wp-admin and all other php files can only be accessed over this hidden port. Im using a rewrite like this:

server {listen 443 ssl http2 .....
location ~ /wp-admin {
if ($remote_addr !=  my.ip.xxx.xx) {return 444;}
rewrite ^ https://www.my.site:4xxxx$request_uri;}
....
server {listen 4xxxx ssl http2 ...

I just started testing this and it seems to work fine. The only problem encountered with the setup is that I can’t login via wp-login.php, have to use my own login form. My error logs are clean, no more scanners since 444 closes the connection without returning an error.

Is this good security practice?

Well, looks like an excessive security practice even in my book
Do you really need to block even native wp-login.php ?
Or it’s just an experiment?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.