Create a login firewall rule

I want to ask about how to create a firewall rule for logging into the website.

I want to specify that only when I click and type wp-login.php and the correct IP address is can the login page appear.

All remaining things will be blocked.

To create a firewall rule like above, what should I do?
Please guide me thank you very much.

Docs for that are here:

What have you tried so far?


Thank you for your reply.
Can you give me more detailed instructions?
Because I used IP source address and URI Part by specifying the opposite block.
It was fine at first but when Cloudflare updated the algorithm this was no longer correct.

(http.request.uri.path eq “/wp-login.php/” and ip.src eq 192.164.x.x)

That’s a good start. I’d go with these changes:

(http.request.uri.path contains "wp-login.php" and ip.src ne

There should be no other URLs on your site that contain wp-login.php, so if it has that, and is NOT coming from your IP address, then Block it. The x.x IP address isn’t going to work. It has to be a specific IP address. OR, you can pick a subnet that would cover all of 192.164:

(http.request.uri.path contains "wp-login.php" and not ip.src in {})

If you plug into a subnet calculator, you’ll see the range of IP addresses it covers:


Thank you for helping me.
After more than 24 hours of testing, I have been able to block IPs from logging into my website.
The problem has been resolved.
Thank you very much.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.