Block all countries except USA


A few times someone is trying to log into my website illegally by guessing passswords, and they seem to be coming from Ukraine or china etc. How do i block all countries except those from United states?

I see that i can block a particular country in the firewall section by entering the country name, but instead of sitting there all day entering every country on earth, can i just tell it to only allow traffic from USA instead?


The simplest way I think you can do this is to create a Worker that filters on the country and you can select which countries you want to allow!

1 Like


Depending on what you built your website with you may also be able to place Cloudflare Access in front of your login URL.

1 Like

Really! wow, that would be awesome, im using wordpress, and im recently getting people trying to hack it by trying to repeatedly guess passwords.

I dont like that of course.

I will check out Cloudflare Access, is it free? Is there a link that tells about, and how to set it up?

Thanks for your great answer!

No. $3 per user. But I am not sure if it works with WP :thinking:

1 Like’s free plan is good at blocking brute force attacks. Between that and Cloudflare, it’s pretty strong.

Another easy option is the Cloudguard plugin. It uses Cloudflare’s country header to restrict login:

Access works with Wordpress. You just block the wp-login.php URL.

Argo is free for 1 user, so if it’s only you managing the site $0. But $3 per user beyond that. :slight_smile:

1 Like

I’m sure @cs-cf meant “Access.”


I have paid account with Cloudflare already, the basic paid account (dont know the exact name),and its already in front of my site, but as i said people who reach my login page (from Ukraine, China, Brazil) Im in USA, they keep trying to log into my admin account by guessing the password. I have something already in my wordpress that blocks them if they try more than 3 times, and that keeps triggering.

Im just scared i get hacked again (previously i was getting hacked every single day with hackers actually crashing my site and hacking my wordpress php files), thats why i started using Cloudflare and havnt got hacked since. Only now it seems they are trying to guess passwords again now.

I will check out all of your comments thanks!

1 Like

Argo? Thought we were talking about Access. which is

open beta and free to use currently. We will be charging $3 per unique user in GA. (i.e. If 5 people login using Access, you would be charged $15 that month.)

I am confused now :thinking::upside_down_face:

1 Like

He meant Access, they will charge 3$/user after the first. 5 people it’s 12$/month.


If it were me if you are the only one accessing the part they are trying to enter into and you want the main domain to remain free for all I would chose Access.

If it were multiple people it depends on the number and the pricing. With Access it’s easier to manage and won’t block if you are abroad, but probably costs more.

If you were trying to block everyone from outside the US on every page, not only the admin part then Workers.

In case you need help with Workers I could provide you a bit of help, there should be already a code sample somewhere in here, I will find it and post it here afterwards…

1 Like

Here is a slightly different Worker, but the basic principle is the same (it redirects instead of block).

1 Like

I think some colleagues have already suggested Workers, but this example explains how to ban users from malicious IP addresses using our API and Cloudflare Workers:

Another Cloudflare Workers example: Block a client with an IP address blacklisted

In this example, we show how to block all continents except North America, which looks very much like your requests.


P.D.: I hope I have not violated the TOS of the forum referencing my company site. íf so my apologies and please delete it.

1 Like

If you want to block brute force attacks against*, why don’t you create a Page Rule with 1) Browser Integrity Check: On and 2) Security Level: I’m Under Attack?

This topic was automatically closed after 14 days. New replies are no longer allowed.