Keeping your WordPress site secure is crucial. A common target for attackers is the login page, specifically /wp-login.php. Fortunately, with Cloudflare, you can add an extra layer of security to lockdown the WordPress login page.
This article explores how to create a web rule inside Cloudflare to lock down your WordPress login.
Table of contents
What You Will Need
Before proceeding with this guide, ensure you have the following;
- Domain managed inside Cloudflare: For Cloudflare lockdown to work, your domain’s name servers must be pointing to Cloudflare.
- Admin IP List: Make a note of the IP addresses allowed to access the login page (usually yours or your office IPs).
Tutorial: How to Lockdown Your WordPress Login with Cloudflare
Watch the video tutorial on how to protect your WordPress Login with Cloudflare.
Steps on How to Lockdown WordPress Login Cloudflare
Follow the steps below to block your WordPress login page (/wp-login.php).
Access the Website inside Cloudflare
- Log in to your Cloudflare Dashboard: Visit Cloudflare and sign in to your account.
- Select Your Website: From the Website view, select the site whose login page you want to protect.
Create the Firewall Rule
- Navigate to Firewall Settings: Go to the “Security” section in the Cloudflare website settings.
- Proceed to WAF: Under the security dropdown, select “WAF (Web Application Firewall).”
- Select Firewall Rule Template: Within the WAF settings, find the Rules Templates section and select the Zone lockdown template.
Define the WordPress Login Lockdown Cloudflare Rule
Now, you will set up a rule to block anyone who isn’t on your allowed IP list from reaching your login page. Here is how you can define the web rule.
- Rule Name: Rename the rule template with a descriptive name.
- Allowed IP Address: Next, specify which IP addresses can access the login page. Here, we will reference a list of allowed IPs “admin_ip.” We will look into this list later. Hence, this rule basically blocks any IP address that isn’t on your “admins_ip” list.
- URI Path for Login Page: In the “URI path” field, enter
/wp-login.php. This targets the specific path of your WordPress login page. We tell the rule to only block access to the login page (/wp-login.php) for visitors not on your allowed list. - Action: From the “Action” dropdown menu, choose “Block.” This action denies access to the login page for unauthorized IP addresses. You can also choose other actions such as Managed Challenge, JS Challenge, Interactive Challenge, etc.
- Deployment: Click the Deploy button to implement the web rule.
Caution
Avoid blocking /wp-admin: Don’t restrict access to the /wp-admin folder when setting up IP restrictions. This path holds important files for your site needs to work right.
Allowed IP Addresses List
In previous steps, we mentioned an “admin_ip list.” This is where you add the IP addresses you want to allow access to the login page.
You can create lists like allowed IPs inside Cloudflare and use them for different security settings. To access this feature,
- Go to your website Cloudflare settings.
- Via the sidebar menu, go to Manage Account.
- Under the Manage Account submenu, proceed to Configurations.
- In the “Configurations” area, you can create or edit your custom list IP address lists.
Test Your Rule
Once you’ve saved the rule, try accessing the wp-login.php page.
- Success: If you use an IP address you listed as allowed, you should be able to access the login page normally.
- Blocked: If you try logging in with a different IP address (not on your list), you should not access the login page.
Conclusion
Keeping your WordPress login safe is the most important thing to stop hackers from getting in and messing with your site.
Follow these steps to lock down your WordPress login! This will prevent random IP addresses from accessing your website’s login page.
Frequently Asked Questions
Your WordPress login page is a prime target for attackers. Locking down your website login with allowed IP addresses keeps hackers out!
No, you do not need to upgrade for this security feature. Restricting access by IP address is included in the free Cloudflare plan!
Many websites can tell you your current IP address. A simple search for “my IP address” will do the trick.
No, this only stops unauthorized attempts to your login page. All other pages will remain accessible to everyone. Remember to test the rule thoroughly after deploying it on your live site.
Extra WordPress Security Tips
Here are extra articles to help you with your WordPress security.
The post How to Lockdown WordPress Login Page with Cloudflare appeared first on M R K WP.