Brute Force Attackers to wordpress site is coming from Cloudflare



I am getting an insane amount of POST requests to my wordpress sites (via wp-login.php) and when I check the originating IP, it’s coming from Cloudflare.

I assume normal human beings use Cloudflare has a proxy for web browser. Is it safe to block all POST attempts to wp-login.php if IP is from Cloudflare? And by safe, I mean I’m not blocking normal legit human beings trying to login to their wordpress site.


Cloudflare acts as a proxy for websites. Visitors route through Cloudflare to access a website behind it. If you are seeing a Cloudflare originating IP address, then I assume the domain is behind Cloudflare. You may want to restore the visitor IP to your logs if you’re going to try to block their access:


Oh crap…yeah I thought we had been using the Cloudflare originating IP address for our Nginx logs, but apparently we weren’t.

Thanks! My mistake.


You should definitely implement this trick to prevent Brute Force Attack