Firewall Rule To Block wp-login.php

I am trying to add a firewall rule to block access to my Wordpress wp-login.php except for the country I am in.

I added 2 rules 1) URI Full for and 2) URL contains I added wp-login but within an hour I saw firewall logs blocking other pages on my site.

What am I missing?

Your post looks like you put asterisks around wp-login.

This is what I use, then I made it a JS Challenge (for a client site):
(http.request.uri contains "wp-login")

21 hits in the last 24 hours.


Ahhh ok yes I did use asterisk, will try “” now. Thank you!

1 Like

Ok I added http.request.uri contains “wp-login” and added my country to block and it’s blocking all pages not just wp-login. I tried URI Path /wp-login.php and it blocks all pages not just wp-login.

If you click on one of your firewall hits, you can see the page that was blocked.


URI Full
URI Path /wp-login.php

You’re blocking your own country?

Are you using some cache plugin like W3 Total Cache?

FYI, both URI Ful and URI fields include the query string. So if the request has /wp-login.php?key=anyvalue it won’t be a match. You should stay with URI Path for your use case, and use URI or URI Full fields only when your need to block or challenge a specific URI that includes a query string. Also, only the URI Full field should contain your domain.

No sir

Yea, I have:

If country equals USA
URI Path contains wp-login.php
then block

This blocks all posts on wordpress from the United States. I also used equals instead of contains and it does the same.

Yes, because I have an allow rule for my IP subnet before the block rules so that only I can access wp-login.php

If it’s just you, then I highly recommend you use Access instead. It’s free for just one user.

It’s set to bypass restrictions if it’s my home IP address. And if I’m away from home, I can have it email me an access code.


Great info, I will look at that now!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.