Protect Wordpress Admin area with Cloudflare Client Certificate


I am trying to find a satisfying solution to protect the access to my WP admin area.

The point is that I am accessing always from a dynamic IP of my provider.

The best solution I found is to create a firewall rule excluding all IPs different from my provider.
The point is that my ISP is big so there are plenty of attacks coming to the physical WP box anyway.

I was trying to adopt a Cloudflare Client Certificate to make the protection really effective.
Unfortunately with very limited success …
Strangely there is no guide / tutorial for this scenario that I suppose is very common.
Theoretically, I followed here:

# Configure your mobile app or IoT device

where unfortunately is not explained how to install the CF client certificate on Winows.

I supposed I installed the certificate on Windows (not sure).

I create a firewall rule to log my access using Chrome with a certificate like the following:

( in {""} and cf.tls_client_auth.cert_verified)

No logs, no idea how to make it working.

Can anyone help me?


I protect my WordPress backend (/wp-admin), login access (/wp-login-php, /xmlrpc.php) and even, depending on the installation, WP’s REST API endpoints (/wp-json), with Access Policies. Access is now part of Zero Trust, but you can configure Access Policies right on Dashboard > Access.


With the following rule (last one in rule list) now I am able to block myself:

(lower(http.request.uri.path) contains "php" or lower(http.request.uri.path) contains "/wp-admin") and not cf.tls_client_auth.cert_verified

Don’t know how to make the CF client certificate to work on Chrome.

Your rule is blocking all requests containing “php”. Firewall rules’ logical operators have an implicit order of precedence, which you can modify by grouping them appropriately.

Have you tried the Access Policy I suggested? It has the added advantage of not cluttering your Firewall Events log with a very large number of attempts against your /wp-admin/ area.

Thanks @cbrandt
The point is that, at the moment, it doesn’t recognize client certificate.

Now I switched back to this firewall rule that is definitely “too large”

(lower(http.request.uri.path) contains "php" or lower(http.request.uri.path) contains "/wp-admin") and not ip.geoip.asnum in {198471 1267}

I am reading everything about Zero Trust. It’s totally new for me.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.