I've seen a lot of bruce force attacks on Wordpress, so I want to limit access to wp-login.php. It's the latest Wordpress on a Ubuntu 16.04LTS Nginx server with PHP-FPM.
I've tried the advice from the Wordpress Codex:
location /wp-admin {
allow x.x.x.x;
deny all;
}
But that doesn't seem to work. It only blocks /wp-admin, but allows /wp-admin/index.php