How to Secure your WordPress Login Page using CloudFlare

Published on July 23, 2022 | Updated on July 4, 2024

There are many ways to protect your login page and you don’t have to spend a dollar buying expensive security plugin to do that.

CloudFlare is my go-to solution when I want to block everyone out except myself from my login pages and other important pages.

I never get brute-force attacked, I think about different types of hacking attempts but not in attacks related to my wordpress sites login pages

Follow these steps to protect your login page using Cloudflare the same way that I do

What are Bruce Force Attacks?

Brute force attacks on WordPress sites involve systematically attempting to guess passwords and gain unauthorized access.

Here are some common forms of brute force attacks targeting WordPress:

  • Dictionary Attacks: Using a list of common passwords to try to gain access.
  • Credential Stuffing: Using credentials obtained from other breaches to attempt login.

Tools like WPScan or Hydra can automate the process of trying thousands of username and password combinations.

Attackers may use a network of compromised computers to perform brute force attacks, making it difficult to block IP addresses and detect the source of the attack.

Steps to Secure your Login Page with CloudFlare

Firstly, you have to go to your domain on CloudFlare since Firewall rules are created on a site by site basis

Protect Login Page - CloudFlare (0)

Secondly go to your DNS Records

Protect Login Page - CloudFlare (1)

Thirdly Make sure your site traffic is being proxied by CloudFlare.

Protect Login Page - CloudFlare (2)

Fourth go to your web application firewall (WAF)

Protect Login Page - CloudFlare (3)

Then click the “create firewall rule” button

Protect Login Page - CloudFlare (4)

After that name your firewall whatever you want and choose these values for field and operator from the drop-down menu

Protect Login Page - CloudFlare (5-1)

Once you got that ready, you gotta choose what to do with visitors who want to visit those pages. I suggest blocking everyone.

Protect Login Page - CloudFlare (6.1)

Then Click “the deploy button” and your login page security concerns will be gone

Protect Login Page - CloudFlare (6)

Now go to the “tools tab” inside the Web Application Firewall

Protect Login Page - CloudFlare (7.1)

There you have to whitelist the IP that you don’t want to block including your home and Office IP address and Click the “add button”

Protect Login Page - CloudFlare (7)

Finally come back later and go to your web application firewall and then to overview and check your firewall performance

Protect Login Page - CloudFlare (8)

Click any of the results and check details about the visitors being blocked

Protect Login Page - CloudFlare (9.1)

Open any of the log results and confirm that the Firewall is blocking only threats

Protect Login Page - CloudFlare (9)

Consider Also Blocking Access to the XML-RPC File

The XML-RPC protocol allows multiple login attempts in a single request.

This means attackers can submit numerous login attempts in one go, bypassing standard rate-limiting measures that protect the login page.

If your site doesn’t use XML-RPC for legitimate purposes, consider disabling it altogether. This can be done by adding code to your theme’s functions.php file:

add_filter('xmlrpc_enabled', '__return_false');

Manuel Campos

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.






© 2024 WP SURFER • Made with Love in Costa Rica