Redirect or block

I’m using page rule to redirect my WordPress login page to another page, instead of using a firewall rule to block it.

The reason is: I’m using Cloudflare Access, and the users login from another page instead of /wp-login.php, after they logout, it will redirect them to the Cloudflare Access login page and the URL expose the default WordPress login page ( I’m using a plugin to change the login slug )

My question is: Is redirect safe in this case or you have better alternative?

Greetings,

Thank you for asking.

Well, I know few websites using a plugin to change their default WordPress login URL as a protection measurement, like below one:

Depending on the situation, for example I am using a Firewall Rule to block access to wp-login from all countries except my own + having Google ReCaptcha on the login form (just in case).
You could only allow your own IP for example, and block everyone else from accessing it.
You could also enable Rate Limiting as a protection measurement for your login area.

Otherwise, even better approach would be to setup and use Cloudflare Access / Zero Trust:

In my opinion, I would rather block it than redirect :wink:

In terms of a WordPress security, may I share my post here as far as it contains some great and useful things (external resources, Cloudflare, examples of firewall rules, etc.):

Thanks for responding. Yes, that’s all what I’m doing now.

But the problem is that, if I use firewall rule to block it, the user will see an error of 1020 after they logout.

That’s why I’m using redirect instead of block now…

The redirect from the original login page to a Access-protected URL is perfectly safe. However, in my opinion, it is also unnecessary.

You can just set Access policies to protect both /wp-login.php and /wp-admin and only authenticated users will be let in. With the added advantage that it does not clutter your Firewall Logs with the many attempts at password-guessing that WordPress sites receive.

But if for some reason you need to keep your current setup, you’d need to find a server-side solution to prevent WordPress from redirecting logged out users back to the default login page. You can try a search on Forums | WordPress.org.

1 Like

Maybe you should challenge everyone trying to access your wp-login page in that case.

If you challenge the “wp-login.php” path, even the logout request would be challenged too, but I won’t mind it, if so, therefore would be redirected to the needed URL (not blocked no error shown).

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.