Protect Wordpress Admin area with Cloudflare Client Certificate

emiliano.maina · February 22, 2022, 11:47am

Hello,

I am trying to find a satisfying solution to protect the access to my WP admin area.

The point is that I am accessing always from a dynamic IP of my provider.

The best solution I found is to create a firewall rule excluding all IPs different from my provider.
The point is that my ISP is big so there are plenty of attacks coming to the physical WP box anyway.

I was trying to adopt a Cloudflare Client Certificate to make the protection really effective.
Unfortunately with very limited success …
Strangely there is no guide / tutorial for this scenario that I suppose is very common.
Theoretically, I followed here:

# Configure your mobile app or IoT device

where unfortunately is not explained how to install the CF client certificate on Winows.

I supposed I installed the certificate on Windows (not sure).

I create a firewall rule to log my access using Chrome with a certificate like the following:

(http.host in {"lamiacasaelettrica.com"} and cf.tls_client_auth.cert_verified)

No logs, no idea how to make it working.

Can anyone help me?

Thanks!

cbrandt · February 22, 2022, 11:54am

I protect my WordPress backend (/wp-admin), login access (/wp-login-php, /xmlrpc.php) and even, depending on the installation, WP’s REST API endpoints (/wp-json), with Access Policies. Access is now part of Zero Trust, but you can configure Access Policies right on Dashboard > Access.

https://developers.cloudflare.com/cloudflare-one/policies/zero-trust/common-configs

emiliano.maina · February 22, 2022, 2:13pm

With the following rule (last one in rule list) now I am able to block myself:

(lower(http.request.uri.path) contains "php" or lower(http.request.uri.path) contains "/wp-admin") and not cf.tls_client_auth.cert_verified

Don’t know how to make the CF client certificate to work on Chrome.

cbrandt · February 22, 2022, 4:23pm

Your rule is blocking all requests containing “php”. Firewall rules’ logical operators have an implicit order of precedence, which you can modify by grouping them appropriately.

https://developers.cloudflare.com/ruleset-engine/rules-language/operators#order-of-precedence

Have you tried the Access Policy I suggested? It has the added advantage of not cluttering your Firewall Events log with a very large number of attempts against your /wp-admin/ area.

emiliano.maina · February 22, 2022, 4:45pm

Thanks @cbrandt
The point is that, at the moment, it doesn’t recognize client certificate.

Now I switched back to this firewall rule that is definitely “too large”

(lower(http.request.uri.path) contains "php" or lower(http.request.uri.path) contains "/wp-admin") and not ip.geoip.asnum in {198471 1267}

I am reading everything about Zero Trust. It’s totally new for me.

system · March 9, 2022, 4:45pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.