diff --git a/infra/ansible/roles/nginx/templates/pw-security.conf.j2 b/infra/ansible/roles/nginx/templates/pw-security.conf.j2
index aad67e7..0842754 100644
--- a/infra/ansible/roles/nginx/templates/pw-security.conf.j2
+++ b/infra/ansible/roles/nginx/templates/pw-security.conf.j2
@@ -36,7 +36,11 @@ location ~* /(phpmyadmin|pma|myadmin|mysql|adminer) {
     return 444;
 }
 
-location ~* /(admin|administrator|login\.action|struts) {
+# Block common attack-scanner paths. NOTE: do NOT include a bare "admin" here —
+# our own operations dashboard lives at /admin and /admin/compliance-orders.
+# "administrator" (Joomla), "login.action"/"struts" remain blocked and do not
+# match our /admin path.
+location ~* /(administrator|login\.action|struts) {
     return 444;
 }