WAF : Catching WP Logon Attempts


I had setup Cloudflare as a WAF and we have proxied our webservers address to CF.

With all the security turned on we had expected cloudflare to stop login attempts.

We even added some firewall rules to stop “wp-admin” and so on in the URI and still no joy.

iThemes on the WP web server still produces “Site Lockout Notifications”. for user tried to login as “admin.” Now from Cloudflare servers.

Has anyone else had this experience?

Cloudflare doesn’t do much to stop bots from poking around sites. It’s extremely difficult to tell the difference between a well-crafted bot and a clumsy human.

What firewall rule did you add? I use “Access” to lock down my logins. It will bypass the lock if it’s my home IP address, but will let someone in if they have the right email address to send the code to.

I’ve also used Firewall Rules to block wp-login for anybody out of the country.

This topic was automatically closed after 30 days. New replies are no longer allowed.