Block xmlrpc.php and wp-login.php via NGINX

You can block xmlrpc.php and wp-login.php via NGINX with the following configs

xmlrpc.php for NGINX

location = /xmlrpc.php {
deny all;
}

To allow JetPacks IP addresses through adjust the config to allow certain IPs

location = /xmlrpc.php {
allow 192.0.64.0/18;
allow 64.34.206.0/24;
allow 198.181.116.0/22;
allow 66.155.105.128/26;
allow 69.90.253.0/24;
allow 76.74.248.128/25;
allow 76.74.255.0/25;
allow 2001:1978:1e00:3::/64;
allow 2620:115:c000::/40;
deny all;
}

wp-login.php for NGINX

You would want to allow at least 1 IP address for backend access…

location = /wp-login.php {
allow 1.2.3.4;
deny all;
}

If you wanted more IP addresses just add additional allow lines.

Test your new config by tailing the error log…

tail -f /home/<user>/logs/nginx/webapp_error.log

Visit the xmlrpc.php and wp-login.php via IP addresses not allowed to see a 403 error.