I’m pretty sure every WordPress  user out there has read much about different ways to limit access to the WordPress administration back-end (WP-Admin), and many of them are certainly good. My way is quite simple, although it most likely has a couple of penalties and some pitfalls I’m not yet aware of, but I can live with it.
My procedure of locking down the WP-Admin area consists of running Nginx  on a dedicated port (whichever port you prefer) bound to a internal/private/local IP address (i.e 127.0.0.1, 192.168.0.1 et cetera), configured with PHP-FPM, coupled with Apache2 as the front-end (with mod_proxy  enabled) to serve and process all requests to the WordPress administrative back-end. The requests are proxied to the Nginx instance via Apache. This configuration effectively translates to the following: I only keep Nginx running whenever I access the administration back-end of WordPress (WP-Admin), and when I’m done, I simply shutdown Nginx. Simple. The end result is that nobody will be able to access the WP-Admin area if Nginx isn’t running.
The only issues I have run into so far is that static resources are not being served properly, but that should be easy a fix. I’m looking into it.
Try accessing the WP-Admin area of k0nsl.org and see the result:
Everything in “/blog/wp-admin” results in a 503 ‘Service Temporarily Unavailable’ (check the headers with “curl -I https://k0nsl.org/wp-admin”) because Nginx is shutdown. It certainly is a simple solution; but it works
This configuration above coupled with various other tweaks (such as the CloudFlare-Country-Login ) makes WordPress a bit more secure to use.
1. WordPress: Blog Tool, Publishing Platform, and CMS -> http://wordpress.org/
2. Nginx: The High Performance Reverse Proxy, Load Balancer, Edge Cache, Origin Server -> http://nginx.com/products/
3. Apache Module mod_proxy -> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
4. WordPress: CloudFlare-Country-Login -> https://k0nsl.org/blog/wordpress-cloudflare-country-login/