Protecting wp-login.php for everyone except me

Hello,

I want to protect wp-login.php & wp-admin for everyone except me.

Since my ISP has given me a dynamic IP, using ip.src eq is out of the question.

I tried the http.request.uri.query field (for e.g. wp-login.php?id=string), and it is very much working by bypassing the security challenge but only for the duration as set in Challenge Passage.

Once the Challenge Passage period expires, I am forced to solve the challenge because the custom http.request.uri.query gets is not constant. In short, I pass the id=string with wp-login.php which is temporary.

Now what field can I use to bypass firewall rules for myself.

Thanks,

Alok

It’s easier to use Cloudflare Access to have it email you a PIN that’s good for a month if you configure it that way.

5 Likes

You can use Firewall rules.

May I suggest a Firewall rule which I use - I block everyone except requests from my country + I have Google ReCaptcha on the login form:

blockaction

(http.request.uri.path contains "wp-login.php" and ip.geoip.country ne "HR") → put your country here, or if you have your static IP address, then a good point can be to choose IP Address Source here, with action block.

Or, you can use challenge for an action too.

Restricting wp-admin is not good to block if your theme or plugin uses /wp-admin/admin-ajax.php requests.
Rather, if so concerned, create another rule and block the requests to a files like upgrade.php, install.php, and some other like wp-config.php etc.

Like the example with action “block”:
(http.request.uri.path contains "wp-config.php") or (http.request.uri.path contains "install.php") or (http.request.uri.path contains "version.php")

1 Like

Hi @fritexvz,

The problem is that I can’t filter by geolocation because hackers can use VPN and as it is, I am getting too many brute force attempts from my own country.

However, I value your suggestion to exclude wp-admin as it can create problems later.

So what I have done is modified the rule to include wp-login.php such that if a specific parameter is not found in the query string, it will force the user to complete the challenge.

This is perfectly working fine.

Hi @sdayman,

Thank you for your suggestion. I find this method to be much effective to fight brute force attacks.

I have set up Access by following the instructions but finding it difficult to make it to work.

However, for some reason, I am not getting the OTP prompt when I visit the login page.

It’s probably either not pointing to the correct path, or you’ve set it to Bypass.

1 Like

Hi @sdayman,

I found the problem. Actually when you said I must have set it to Bypass, I then thought that I must have selected a wrong option.

In Policies > Decision, I had set to Non Identity. For this reason, CF was not allowing me to select Access Groups. After changing it to Allow, CF allowed me to select Access Groups.

In Access Groups, I selected Emails and added my email address.

Thereafter, Voilà! On the login page, I was prompted to enter my email address followed by OTP.

So now, I can safely turn off the Firewall rule.

However, the Access solution is good where only one or few people are going to log in to WP. But if the site is having subscribers, then I will have to find a way to synchronize the WP users list with CF Access Groups. I doubt this would be possible. In that case, I can use the Firewall rule which will cause some inconvenience to the users but then its worth the security.

Thanks,

Alok

1 Like

Agreed. It’s a good approach in limited settings. For a members or subscribers site, you’ll have to go with the Challenge approach.

1 Like