WAF rule to do a query string validation on WP-Admin and WP-Login

Hi. Im trying to add a URI query string to a WAF rule I have to limit access to my WP-Admin and WP-Login. My existing rules for blocking everything but my static IP is working fine, but Im wanting to add a query string so that those with the “secret URL path” can reach these two URLs (such as my Authors).

Im pretty green on this stuff however so I dont think I know what Im doing. Basically I just want some special secret code on the end of www.domain.com so that if you know it and browse to it rather than going directly to the wp-admin or wp-login URLs, it will load those pages for logging in.

Something like www.domain.com?this-is-where-my-secret-path-string-goes

Obviously Im doing something stupid but Im too stupid to know what I dont know. Im a publisher not a coder so this is not in my wheelhouse. Below is the rule I tried…everything works in the IP blocking phase but when I test to see if its allowing that query exception I still get blocked using the string.

Do you need Enterprise account to do this or? I want my wp-admin and wp-login to be accessible only by my static IP (which is working) or with the suffix string from anywhere.

That last check on query string is going to break your entire site because most requests won’t have that query string.

You’re better off just using the first rule for wp-login and your IP address.

If you want to do the query string thing, change the second rule to be OR if it’s wp-login AND query string DOES NOT CONTAIN super-secret-code. Then you can log in from anywhere if you know the secret query string.

I don’t even bother protecting wp-admin, because that’s pretty useless without a successful wp-login.


OKso using the methodology you suggested, would I then log in to the wp-login using the address:

www.domain.com?name=super-secret-code ??

or is it www.domain.com/?super-secet-code?

If this doesnt work, I may try the Zero Trust approach by creating an Access Group defined by email addresses then assigning them to the Self-Hosted Application block page for the wp-admin and wp-logins?? Would that also work?

No doubt the restrict by IP works like a charm but at the moment its just me logging in from my static home IP. I will eventually have a few other users needing to log into the wp-admin and they do not have static IPs. And worst case, Id also like the ability to log in from anywhere too. I just want a front door before the wp-admin and wp-login addresses.

I could install a 2FA plugin but most do not trigger until after the wp-login and wp-admin credential page loads and you enter your WP credentials. Id like those not needing to know to never see the WP footprint to begin with. The query string was one thought, but maybe the App and Access Group makes more sense.

Does App/Access Group logic override WAF rules or do WAF rules take precedent or are they not related?

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.