I’m using page rule to redirect my WordPress login page to another page, instead of using a firewall rule to block it.
The reason is: I’m using Cloudflare Access, and the users login from another page instead of /wp-login.php, after they logout, it will redirect them to the Cloudflare Access login page and the URL expose the default WordPress login page ( I’m using a plugin to change the login slug )
My question is: Is redirect safe in this case or you have better alternative?
Well, I know few websites using a plugin to change their default WordPress login URL as a protection measurement, like below one:
Depending on the situation, for example I am using a Firewall Rule to block access to wp-login from all countries except my own + having Google ReCaptcha on the login form (just in case).
You could only allow your own IP for example, and block everyone else from accessing it.
You could also enable Rate Limiting as a protection measurement for your login area.
Otherwise, even better approach would be to setup and use Cloudflare Access / Zero Trust:
The redirect from the original login page to a Access-protected URL is perfectly safe. However, in my opinion, it is also unnecessary.
You can just set Access policies to protect both /wp-login.php and /wp-admin and only authenticated users will be let in. With the added advantage that it does not clutter your Firewall Logs with the many attempts at password-guessing that WordPress sites receive.
But if for some reason you need to keep your current setup, you’d need to find a server-side solution to prevent WordPress from redirecting logged out users back to the default login page. You can try a search on Forums | WordPress.org.