I limit access to all wordpress login urls via IP in my apache config.
This was done because after looking at my logs, it shows that there are constant penetration attempts on my servers - (eg some hacker bot is just constantly trying random passwords to try and get into the wp-admin)
after putting my deny all in my apache config, it blocks the bots, I only allow access from a handful of IP addresses. When I switched to Cloudflare it no longer recognizes my IP and gives me the Forbidden error.
IP limiting has been very effective at keeping my server safe. If I switch to Cloudflare it looks like I might as well open up all access again (I could just add Cloudflare’s IPs, but since all traffic goes through it, its the same as “allow all”)
Am I going to have to deal with the hack bots? I have several customer sites on my server, so I don’t have control over password strength.
Would mod_cloudflare pass the origin IP to apache and fix my problem? Or does Cloudflare have some other way to already deal with these security threats so I don’t have to worry about it?