Secure your WordPress login with Cloudflare Firewall

If you are running a WordPress website with no guest login and are using Cloudflare to protect and serve your website, you should make use of all security features that Cloudflare provides you with under your plan. One of these features is the ability to add a firewall rule to protect certain areas of your website. On my website I am the only author, therefore, I can protect my login and admin pages by locking down to the ip of the location that I use to access the admin pages.

In this post I am going to show you how you can configure Cloudflare Firewall rule to lockdown access to the login and admin pages to say your home ip address.

I am assuming you are already serving your website from Cloudflare like I am. Cloudflare gives you the ability to add 5 firewall rules in the basic plan.

The firewall rules we are going to add will lock down access to wp-login and wp-admin by source IP. You can find the IP of your computer by visiting this page. http://www.whatsmyip.org/

Steps

Login to your Cloudflare account and navigate to the ‘Firewall’ page on the dashboard.  In the image below you can see my two rules are already in place.

Firewall Page on Cloudflare dashboard
Firewall Page on Cloudflare dashboard

Click on the ‘Create a Firewall rule’ button and add the rule as shown in the next image.

Rule
Rule

Give the rule a name. My rule is named ‘Login’

  • Set the field to ‘IP Address’.
  • Operator to ‘does not equal’ and value to your IP address.
  • Click on ‘And’ and set ‘URI Path’ as the next field
  • Operator as ‘contains’ and the value as ‘/wp-login’.
  • Set ‘Choose an action’ to ‘Block’.
  • Save the rule.

Set the second rule in the exact same way but set the URI Path to /wp-admin and save it.

With these rules in place, only you can access your WordPress Login and Admin pages from the IP location that you specified. Everyone else will be blocked. If you have any guest login, then you may have to temporarily add more rules to allow them to login otherwise they will be blocked. For blogs with a single login or a few this is a good security measure to have in place.

On the same ‘Firewall’ page on Cloudflare dashboard, if you scroll to the bottom of the page you will see if the rule ever triggers and blocks any unauthorized login attempts. Click the ‘Details’ button and you can see the blocked login attempt as shown in this image below.

Blocked access
Blocked access

Conclusion

With these rules in place, I know my WordPress website login and admin pages are being protected by Cloudflare.

Further reading

Photo Credit

unsplash-logoViktor Forgacs

Leave a Reply