I’ve added a few Wordpress sites to Cloudflare since I received 10.000+ of wp-login requests in a day. I’ve setup a firewall to allow only from my home country and “challenge capcthca” from all other countries.
How to know if a capthca solved or not? I see only “Firewall Rule Challenge” at firewall event log.
AFAIK, there’s no way to tell when a captcha is solved.
The best protection for /wp-admin, /wp-login.php, and /xmlrpc.php, in my view, is to create Access Policies for each of them. This way only authenticated users (you and whoever else needs to access these assets) will be let in, everyone else will be blocked. Users are authenticated by one of chosen Identity Providers (Google, Facebook, GitHub etc), and you may set a session to last up to a month.
Unfortunately access policies won’t work for me, since those WP sites are from different users. Most of them got dynamic IP, impossibble to keep the IP list up to date.
You can also authenticate them by email, no need to use IP address. What I have is two Access Groups, one with my email, another with the emails of occasional visitors who may need access to the back end, and each Access Policy has an Allow rule for these groups.
When you visit an Access-protected area for the first time, the screen will ask you to provide your identity, and the user has the choice between those enabled by the site admin. User choses, say, Google, and they are redirected to a Google page where they are asked to provide username and password. Once authenticated, the user is automatically redirectted back to their destination on your site,and won’t be asked for an email again for the duration of the session (which can be set from 1 day to a month)
This topic was automatically closed after 14 days. New replies are no longer allowed.