Protecting WordPress Login

I’m using Cloudflare Access to protect my WordPress login page, but I don’t know why it become like this:

I’m following this guild, anything am I missing?

I recommend against most of that. You only need to protect wp-login, not wp-admin. This is what I have. Two policies: One to Bypass if I’m connecting from my home IP address, and one to Allow if I authenticate via email.

But people still be able to access wp-admin which increase server request because either it redirect to wp-login.php or the website front page. That’s why I create a policy for wp-admin as well.

Only people who pass wp-login can use wp-admin.

What is it you’re trying to prevent?

Yes, that’s true. Only people who pass wp-login can use wp-admin

But they can still visit the wp-admin page without login, this either redirect them to the homepage or 404 or wp-login.php

I wanna avoid these situations. You can try access your website like without login and see what will happen, then you will understand what I mean

I fully understand how it works. It’s just not a concern of mine as there’s very little traffic that goes that way to affect the server and it’s not a security issue. I almost see no bot traffic that hits wp-admin because it’s pointless.

It can’t apply to general cases…For me, the wp-admin has many traffic from unknown IP

While I disagree with your approach, let’s take a look at your screenshot. It looks like it’s not loading JS or CSS. You can see this if you open up your browser’s Dev Tools (F12 in Chrome) and take a look at the Network and Console tabs for failed actions.

wp-login pulls resources from wp-admin, so if you’ve blocked wp-admin, but let someone Access wp-login, they’re still blocked from anything in wp-admin because they haven’t logged into Access for wp-admin.

Think of it like you’ve blocked hotlinking. While they’re allowed to use wp-login, they can’t “hotlink” to anything in wp-admin without also passing the Access login for wp-admin.

If you’re having issues with bots probing wp-admin, those bots are probably poking around elsewhere as well. Firewall Rules is the better approach for protecting unwanted traffic to wp-admin.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.