How to protect wp-admin area with Cloudflare firewall

Reading Time: 2 minutes

Cloudflare is extremely useful for protecting websites against threats. It offers multiple services such as free SSL, DNS, CDN as well as firewall just to mention a few.

WordPress websites are favorite targets of hostile bots and hackers, therefore practically every WordPress installation will be sooner than later at least target of brute force password cracking attempt. One of the most serious thing what can happen is that hostile actor gets access to the admin area.

We can protect WordPress wp-admin using Cloudflare. In the next example we will set up simple firewall rules that allow access to admin only from specified IP-addresses.

With the following firewall rules it doesn’t actually matter even if your password gets hacked, the admin area still is inaccessible from all other IPs except specified ones. However, of course you should use strong and unique password, enable 2FA and have brute force protection in use.

Let’s see how to set up simple Cloudflare firewall rule to protect the wp-admin directory and everything what’s inside. The following rule blocks all access to the /wp-admin except from public IP-address defined on the rule set.

That does the job, but not completely. It is possible to use permutation of /wp-admin/ such as /WP-ADMIN/ to gain the access. Below is more secure rule set that prevents attacker using permutation using lower() transformation function to convert the URI to lowercase. Change YOUR IP to your or your VPN’s public IP-address.

(not ip.src in {YOUR IP} and lower(http.request.uri.path) contains "/wp-admin")

This rule set can not be added using expression builder, you need to add it using expression editor as on the screenshot below.

See also  What are the most common types of web attacks against websites

After deploying rules, if someone tries to access anything on wp-admin from any IP that’s not on your allowed list, the visitor sees the Error 1020 Access denied as on the screen capture below.

Now the WP admin are is a bit better protected. If your IP changes, you need to change it from your Cloudflare account.

5/5 - (2 votes)

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.