How to IPs restrict access to WordPress login.php while using Cloudflare?

pascalbourhis October 11, 2019, 10:25am #1

Hi

We used to prohibit access to WordPress admin by using this below in our .htaccess file:

# BEGIN PROTECTION wp-login.php
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
</Files>
# END PROTECTION wp-login.php

Using Cloudflare it do not work: I get a 403 error (forbidden)…

What is the tips to do that?

Thanks

floripare October 13, 2019, 7:05pm #2

Hi,

I looks like your .htaccess code could be blocking Cloudflare.

Since Cloudflare acts as a reverse proxy, when it’s configured as expected, all connections to your origin webserver come from Cloudflare’s IP addresses, and that may or may not be a problem for you:

If your web application is using the originating IP of the visitor as part of its logic, it will now use a Cloudflare IP address
If you use the content of your access logs, they now contain a Cloudflare IP address as the $remote_addr

Depending on your setup, you can restore the visitor IPs in a number of ways. You can find a complete list here, or below are a few of the most popular:

Apache 2.4
Nginx
mod_cloudflare (not supported any more)