Combining Cloudflare Access and Firewall Rules to protect WordPress

I would like to lock down access to all the non-public facing parts of a WordPress self-hosted site to minimize the impact on the server from consistent random login requests and attempts to access other parts of the install such as the wp-config file.

The best approach I can see is to use Cloudflare Access to verify all legitimate login requests with a third-party verification service before passing the request to the server and rejecting all other nefarious requests. The limitation within Cloudflare Access is the ability to use wildcards in the path allowing all requests for /wp-admin/* through the verification service. Is there a way of combining Cloudflare firewall rules with Cloudflare Access to force the external verification of all traffic trying to login to the site whilst rejecting nefarious attempts to get to the wp-config file immediately? If so, which product takes precedence in the process (i.e. can I block all access to wp-admin within the firewall and then allow access through Cloudflare Access)?

If this is not the best approach, is there another method that would be recommended for offsiting the firewalling and verification before it hits the server?

Many thank in advance!

1 Like

You shouldn’t need such blanket protection of the wp-admin directory. I spend a lot of time combing through WordPress logs and find the worst offenders seem to be targeting wp-login, xmlrpc, and admin-ajax. Plus other random fits of inspiration: vulnerable plugins, random config files.

My approach is to use Access to protect wp-login, then Firewall Rules to Challenge or Block all the other noise.

1 Like

@sdayman Thank you for your prompt reply.

In this scenario would you block all requests that include wp-login in the URI path in the firewall and then allow access through Access. The trouble at the moment is that we are getting attempted logins that use wp-login.php but are extending the URI so by avoiding the Access verification process.

I wouldn’t even bother with Firewall for wp-login. Those requests will hit Access before they make it to your site.

I can’t replicate this. When I use a VPN to access /wp-login.php?somerandomstring, it still sends me to Access.


This topic was automatically closed after 30 days. New replies are no longer allowed.