I found a site that posted a blog about this exact scenario and it also protects wp-login.php too so I copied their code,
location ~ ^/blog/(wp-admin|wp-login\.php) {
allow 111.111.111.111;
deny all;
}
This code ALSO triggers a download when the authorized IP connects to wp-admin. Seriously confused why it's doing this.
location ~ ^/blog/(wp-admin|wp-login\.php) {
allow 111.111.111.111;
deny all;
}
This code ALSO triggers a download when the authorized IP connects to wp-admin. Seriously confused why it's doing this.