i am protecting the websites Wordpress /wp-admin folder with a htacces password protection set up through my hosts server admin panel. I also set up the Cloudflare DNS and Cache (set to “Standard”). Unfortunately the htaccess protection username and pw modal is asking again and again. Without cache it works as expected.
Any idea how to resolve this issue?
May I ask you to check what option have you got selected under the
Browser Cache TTL at Cloudflare dashboard for your domain name?
You could check this by navigating to the
Caching → Configuration
→ I’d suggest you to set it (if already not) to “Respect Existing Headers”
Usually, it has no impact and works fine being served from the origin.
Furthermore, there were users who have had 401 Authorization enabled and we saw it while using Cloudflare and the hostname was proxied
Are you sure you have correctly defined the directory path for protection with 401 auth and the is the .htaccess among .htpasswd file path containing correct credentials also located in the needed directory which you want to protect?
Are you sure your Web server suppor…
Furthermore, I’d not suggest you to protect “wp-admin” with a password as far as some plugins, including WordPress core uses some of the resources like JS or CSS files on themes, JSON, REST API, etc.
Therefore, you’d be asking for “username & password” each of your visitor.
There are much better ways to protect your WordPress admin dashboard / WordPress login using Cloudflare, if so.
If interested, I am sharing my post here which contains a lot of useful information about this topics:
That is a good question out there.
I would say it cannot be stated as a general rule of thumb, as far as some WordPress websites do not have to use like POST or PUT (WP REST API, wp-json, plugins etc.), while other have to - just an example.
You could try to block TRACE & TRACK for example.
Or, if you could for example, limit HEAD, GET and POST for some specific IP or some similar scenario, where you protect your Website from bad bots, possible attacks, etc. in terms of security measurements. …
I’d suggest you to take a look at Cloudflare Access / Zero Trust to protect your WP Login
You shouldn’t need such blanket protection of the wp-admin directory. I spend a lot of time combing through WordPress logs and find the worst offenders seem to be targeting wp-login, xmlrpc, and admin-ajax. Plus other random fits of inspiration: vulnerable plugins, random config files.
My approach is to use Access to protect wp-login, then Firewall Rules to Challenge or Block all the other noise.
If you are hosting a blog like me, you can use Cloudflare to protect and accelerate your website which I have described here –> https://msandbu.org/moved-my-blog-to-cloudflare/ that means that front-end traffic is handled by Cloudflare...
Est. reading time: 2 minutes
Thx for the reply. The settings are already the same as you suggest. So im checking it again.
What if i protect the folder with a Cloudflare firewall rule - blocking all IP except mine instead of the htaccess pw protection? this should work or not?
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.