My htaccess IP whitelist doesn't work with Cloudflare



I limit access to all wordpress login urls via IP in my apache config.

This was done because after looking at my logs, it shows that there are constant penetration attempts on my servers - (eg some hacker bot is just constantly trying random passwords to try and get into the wp-admin)

after putting my deny all in my apache config, it blocks the bots, I only allow access from a handful of IP addresses. When I switched to Cloudflare it no longer recognizes my IP and gives me the Forbidden error.

IP limiting has been very effective at keeping my server safe. If I switch to Cloudflare it looks like I might as well open up all access again (I could just add Cloudflare’s IPs, but since all traffic goes through it, its the same as “allow all”)

Am I going to have to deal with the hack bots? I have several customer sites on my server, so I don’t have control over password strength.

Would mod_cloudflare pass the origin IP to apache and fix my problem? Or does Cloudflare have some other way to already deal with these security threats so I don’t have to worry about it?


mod_cloudflare is certainly handy. I like it mostly because it restores visitor IP addresses in my logs.

In your situation, I have a few suggestions:

  1. Install Wordfence. It does a fantastic job of protecting against all kinds of nasty stuff. Especially botnets poking around Wordpress sites.
  2. You can also use Cloudflare Access if you really want to lock down by IP address, but it’s labor-intensive to set it up.
  3. Use Page Rules for wp-admin* and wp-login.php to set Security Level to “I’m Under Attack.” This will stop the bots.


@vexcom a couple of WordPress plugins worth checking out are:

which will help further lockdown the WP login page in addition to @sdayman’s recommendations.


I’m having the same issue. I can;t access to one folder that contains a .htacess file
So, the issue seems to be the .htaccess. Cause when I delete it, I am able to see the folder’s content.
Any ideas of how to resolve this issue?


jegav777 sounds like the htaccess directive, are you intentionally using IP blocking?


sdayman I really need a low level solution - there are over 20 Wordpress installations on my server and most of them are client sites - I don’t really want to have to go in and make a change to each WP install.

I need something that I can do at the server level - this is why I have the IP whitelist in the apache config.


StuartMorrisAU These look like great plugins but I need a non-WP solution. There are too many wp installs to manage them individually and several are client sites. I really need a server level or automated solution.

That’s why I wondered if mod_cloudfare might work for apache ip allow list - if it works for the logs, it depends on where in the process the user Ip is being forwarded. Does it happen retroactively or is the requests sent with an alias IP - if the request is sent with the users actual IP instead of the cloudflare proxy IP then it will work.

I was hoping someone could tell me so I didn’t have to go through the whole process of installing it and testing.


Then mod_cloudflare is your best bet.


yes, I am blocking all IPs and only allow a few ones.
I have there a m3u list that I’m using for family use and I don’t want that list get access for other people who could find it through Google.

This is the content of the .htacess :slight_smile:

order deny,allow
deny from all
allow from


That’s essentially the same problem I have- the user IPs are being re-written by the cloudflare proxy - I guess I will give mod_cloudflare a shot. Not sure how soon I can get to that but I will try and update this thread with my results.


As long as you have root access to your Apache server it’ll take you all of 2 minutes to install mod_cloudflare using ssh. @sdayman posted the link to the instructions above. It worked for me, and I really don’t understand any of this stuff except in some vague and arbitrary way.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.