There are many ways to protect your WordPress login page and you don’t have to spend a dollar buying expensive security plugin to take care of that.
CloudFlare is my go-to solution when I want to block everyone out except myself from my login page and other important pages.
I never get brute-force attacked
Follow these steps to protect your login page using Cloudflare the same way that I do
Table of Contents
What are Bruce Force Attacks?
Brute force attacks on WordPress sites involve systematically attempting to guess passwords and gain unauthorized access.
Here are some common forms of brute force attacks targeting WordPress:
- Dictionary Attacks: Using a list of common passwords to try to gain access.
- Credential Stuffing: Using credentials obtained from other breaches to attempt login.
Tools like WPScan or Hydra can automate the process of trying thousands of username and password combinations.
Attackers may use a network of compromised computers to perform brute force attacks, making it difficult to block IP addresses and detect the source of the attack.
Steps to Secure your Login Page with CloudFlare
Firstly, you have to go to your domain on CloudFlare since Firewall rules are created on a site by site basis
Secondly go to your DNS Records
Thirdly Make sure your site traffic is being proxied by CloudFlare.
Fourth go to your web application firewall (WAF)
Then click the “create firewall rule” button
After that name your firewall whatever you want and choose these values for field and operator from the drop-down menu
Once you got that ready, you gotta choose what to do with visitors who want to visit those pages. I suggest blocking everyone.
Then Click “the deploy button” and your login page security concerns will be gone
Now go to the “tools tab” inside the Web Application Firewall
There you have to whitelist the IP that you don’t want to block including your home and Office IP address and Click the “add button”
Finally come back later and go to your web application firewall and then to overview and check your firewall performance
Click any of the results and check details about the visitors being blocked
Open any of the log results and confirm that the Firewall is blocking only threats
Consider Also Blocking Access to the XML-RPC File
The XML-RPC protocol allows multiple login attempts in a single request.
This means attackers can submit numerous login attempts in one go, bypassing standard rate-limiting measures that protect the login page.
If your site doesn’t use XML-RPC for legitimate purposes, consider disabling it altogether. This can be done by adding code to your theme’s functions.php file:
add_filter('xmlrpc_enabled', '__return_false');
Security at the Application Level
I rely on Cloudflare to prevent most attacks directed to my login page. That’s protection at the CDN level.
You should consider:
- Using Strong, Unique Passwords.
- Limiting Login Attempts.
- Enabling Two-Factor Authentication.
- Adding CloudFlare Turnstile or Captcha.
- Change the Default Login URL
It’s important to select your security plugin carefully, as some WordPress security plugins have inadvertently introduced vulnerabilities.
For instance, the “Really Simple Security” plugin, installed on over 4 million websites, was found to have a critical vulnerability that allowed hackers to gain administrative access to affected sites