This tutorial covers the basics of Cloudflare Access and how to protect an admin or other area of your website using this feature.
Please note: This tutorial covers the setup on Cloudflare, you also need to protect your origin server to prevent people being able to bypass Cloudflare to get around the login. You can enable Argo Tunnel or restrict connections to Cloudflare IPs only (contact your host for help with this).
Access is free for up to 5 ‘seats’ or users, after that, there is a fee for each new ‘seat’.
You can read about the pricing here
Please note: You must have a payment method added to your account to be able to use Cloudflare Access. You can read how to do this in this help article.
Go to the Access app in your Cloudflare Dashboard
Enable Access and choose your plan, add a payment method here if you don’t already have one.
Choose your Login Page Subdomain, this will be
XXXXX.Cloudflareaccess.com, where you can choose the value of XXXXX. This subdomain will be used across all the sites in your account that use Access and is what users will see when they go to login.
Add a Login Method (or multiple), under ‘Login Methods’, you will automatically have the option which will allow users to enter their email and receive a pin which will only work once to login. You can click to add support for other login methods such as Google, Facebook, Github etc. on the basic plan and GSuite etc. on the premium plan. This will allow your users to login quickly, especially if you use GSuite, for example, for all yuour users and they can log in with that. When you add each one, instructions will be shown for how to configure them.
Create your Access Policy (or more than one!) - here you can choose what areas of your website to restrict, for example, if you use WordPress you may want to restrict the
/wp-adminpath. In the example below, I have restricted
You can restrict by subdomain and by path. You can also select how long each user stays logged in for before having to authenticate again.
You now need to set who can access this area, this may be one of the following:
- a list of emails
- All emails on a certain domain
*An Access Group (Please see Below)
Access groups can be very useful should you want to group your users and manage them easily. For example, you may have an access group for marketing, one for sales, one for IT etc.
You can then use these in conjunction with Access Policies to allow different departments to access different areas.
You can then quickly manage the staff within the Access Groups without having to add them manually to all the relevant Access Policies.