Wordpress wp-login.php and other admin files are getting downloaded instead of opening. How to solve this?

May 20, 2015 14.3k views
Security Ubuntu Nginx WordPress

I am using this rule in nginx config present in /etc/nginx/sites-available/wordpress.

location ~ '(/wp-login.php|/wp-admin)' { if ($http_cookie !~ 'cookiename') { return 404; } }

This works and shows 404 when cookie is not present but problem comes when cookie exists and thereafter a dialog box opens to ask where to save wp-login.php and wp-admin files.

How to solve this ?
Any help is appreciated.

5 Answers

Sounds like you have no php installed

sudo apt-get install php5-mysql mysql-server

And this

“`sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt


On Nginx, when you create a location block for PHP you have to copy the fastcgi block too. So it should look like:

location ~ '(/wp-login.php|/wp-admin)' {
    if ($http_cookie !~ 'cookiename') { return 404; }
    include fastcgi.conf;
    try_files $uri =404;
    fastcgi_pass unix:/var/run/php5-fpm.sock;

Also it isn’t a good idea to block /wp-admin as the AJAX handler admin-ajax.php file exists in this directory.

  • Hey @jesin , I did nginx -t before changing. I received

    nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
    2015/05/22 11:47:56 [warn] 24811#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
    2015/05/22 11:47:56 [emerg] 24811#0: open() "/etc/nginx/fastcgi.conf" failed (2: No such file or directory) in /etc/nginx/sites-enabled/wordpress:46
    nginx: configuration file /etc/nginx/nginx.conf test failed

    And restarted nginx after changing, problems seems to have gone but other files like css, js, dashicons are not opening.
    Screenshot: http://i.imgur.com/tFDV3d4.png

  • @jesin , sorted the problem. The line
    location ~ /wp-includes { internal; }
    code was causing problem. Thanks for your help.

    Do you know does wordpress processes urls? I mean how does they end with .php as I have seen all wordpress nginx configs contain this line

    location ~ \.php$ {
  • @gts13 Glad you got it working!

    The following line does the trick:

    try_files $uri $uri/ /index.php?q=$uri&$args;

    So if http://example.com/hello-world is accessed, Nginx will check:

    • if a file named “hello-world” exists, $uri
    • if it doesn’t it will check if a directory named “hello-world” exists, $uri/
    • if that too doesn’t exist, it will process the request via /index.php

    Now the request will match location ~ \.php$ { which will pass it to the PHP-FPM socket file - unix:/var/run/php5-fpm.sock

    This is how permalinks work.

@jesin, you explained it clearly.

I have a doubt that why location ~ \.php$ { is unable to match wp-login.php?

  • @gts13 because another location matches it location ~* '(/wp-admin|/xmlrpc.php|wp-.*.php|/feed/|/rss/)' {

Have another answer? Share your knowledge.