WPSurfer.com

How to Secure your WordPress Login Page using CloudFlare

Published on July 23, 2022 | Updated on October 23, 2024

There are many ways to protect your WordPress login page and you don’t have to spend a dollar buying expensive security plugin to take care of that.

CloudFlare is my go-to solution when I want to block everyone out except myself from my login page and other important pages.

I never get brute-force attacked

Follow these steps to protect your login page using Cloudflare the same way that I do



What are Bruce Force Attacks?

Brute force attacks on WordPress sites involve systematically attempting to guess passwords and gain unauthorized access.

Here are some common forms of brute force attacks targeting WordPress:

  • Dictionary Attacks: Using a list of common passwords to try to gain access.
  • Credential Stuffing: Using credentials obtained from other breaches to attempt login.

Tools like WPScan or Hydra can automate the process of trying thousands of username and password combinations.

Attackers may use a network of compromised computers to perform brute force attacks, making it difficult to block IP addresses and detect the source of the attack.


Steps to Secure your Login Page with CloudFlare

Firstly, you have to go to your domain on CloudFlare since Firewall rules are created on a site by site basis

Protect Login Page - CloudFlare (0)

Secondly go to your DNS Records

Protect Login Page - CloudFlare (1)

Thirdly Make sure your site traffic is being proxied by CloudFlare.

Protect Login Page - CloudFlare (2)

Fourth go to your web application firewall (WAF)

Protect Login Page - CloudFlare (3)

Then click the “create firewall rule” button

Protect Login Page - CloudFlare (4)

After that name your firewall whatever you want and choose these values for field and operator from the drop-down menu

Once you got that ready, you gotta choose what to do with visitors who want to visit those pages. I suggest blocking everyone.

Protect Login Page - CloudFlare (6.1)

Then Click “the deploy button” and your login page security concerns will be gone

Now go to the “tools tab” inside the Web Application Firewall

Protect Login Page - CloudFlare (7.1)

There you have to whitelist the IP that you don’t want to block including your home and Office IP address and Click the “add button”

Protect Login Page - CloudFlare (7)

Finally come back later and go to your web application firewall and then to overview and check your firewall performance

Protect Login Page - CloudFlare (8)

Click any of the results and check details about the visitors being blocked

Protect Login Page - CloudFlare (9.1)

Open any of the log results and confirm that the Firewall is blocking only threats

Protect Login Page - CloudFlare (9)

Consider Also Blocking Access to the XML-RPC File

The XML-RPC protocol allows multiple login attempts in a single request.

This means attackers can submit numerous login attempts in one go, bypassing standard rate-limiting measures that protect the login page.

If your site doesn’t use XML-RPC for legitimate purposes, consider disabling it altogether. This can be done by adding code to your theme’s functions.php file:

add_filter('xmlrpc_enabled', '__return_false');

Security at the Application Level

I rely on Cloudflare to prevent most attacks directed to my login page. That’s protection at the CDN level.

You should consider:

  • Using Strong, Unique Passwords.
  • Limiting Login Attempts.
  • Enabling Two-Factor Authentication.
  • Adding CloudFlare Turnstile or Captcha.
  • Change the Default Login URL
Hack WordPress

It’s important to select your security plugin carefully, as some WordPress security plugins have inadvertently introduced vulnerabilities.

For instance, the “Really Simple Security” plugin, installed on over 4 million websites, was found to have a critical vulnerability that allowed hackers to gain administrative access to affected sites


Manuel Campos

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.