Protecting the WordPress Admin Login with Cloudflare

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Attention – Always Test!

Ensure you test your Cloudflare rules after implementation, as they can block some services such as backups, monitoring and management services. Also, make sure to use a VPN to test country blocks.

Protecting the WordPress Login

Typical WordPress Login Attacks

The WordPress login page is the most popular attack vector for hackers and malware. The brute force login attack is typically what is utilized. In the following article, more innovative attacks target specific usernames after enumerating your users via one of many user enumeration methods.

WordPress Login Attacks Spike Resource Usage

If you have a super secure 32-character password, brute force will be pretty much a useless endeavour for hackers or malware. However, it does cost you resources, each request is considered a dynamic request that will utilize your website’s server resources. Effectively causing a DoS attack if you have a popular site with lots of traffic. This could turn into a DDoS attack and start taking away a good chunk of your server resources, which isn’t good if you run an eCommerce site or are on shared hosting. The server resources should be put towards legitimate visitors and requests.

Hardening WordPress with Additional Security

Cloudflare provides a method to stop automated attacks from hackers or malware. It won’t, however, harden or secure WordPress from targeted attacks or leaking information that could help hackers or malware with a successful compromise of your WordPress site.

It’s always suggested to harden your WordPress instance, this is a topic for another blog post.

Cloudflare WAF Rules for Protecting your WordPress Admin Login

Method #1 – Managed Challenge

The following method will set up what is called a “Managed Challenge” on all links under “/wp-admin” except for “/wp-admin/admin-ajax.php” which is used by some plugins for users browsing the site that are not logged in.

This is my preferred method, as it will block a majority of automated attacks while also allowing yourself and others to gain access to the WordPress admin.

Here is what the rule looks like; you can re-create this rule in your own Cloudflare account.

If you want to save some time, you can click on “Edit Expression” and copy and paste the following code.

(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php")

Lastly, you want to set “Then..” to “Managed Challenge (Recommended)”

Viola, you’re now blocking login attempts to your /wp-admin with a managed challenge that needs to be solved and will block most automated attacks.

Method #2 – Whitelist IP

You can block all requests to /wp-admin and whitelist your IP address. GridPane has a great article on this.

Method #3 – Query String

You can also set a specific query string to the end of your WordPress login URL; GridPane has a great article on this.


Once you have your rules in place, you can test them to ensure they’re effective.


Any method you choose above will work; just ensure you always test!


You May Also Like
Read More

How to Silence Netdata Alarms

Understanding Netdata Alarms Before silencing an alarm, it’s crucial to understand how Netdata alarms work. Netdata provides a…