What happens to IPs that are allowed to pass the Lockdown Zone?

Hi, I have a Wordpress site and I wish to block any URLs that contain wp-admin, but WP needs that /wp-admin/admin-ajax.php will be accessible to the site’s visitors.

I don’t wish to use the “CF Access” feature as I don’t wish to have a CF login page for the admin areas.

So, I think of using the “Lockdown Zone” feature this way:
1st/top rule - Allow all IPs access to /wp-admin/admin-ajax.php
2nd rule - Allow only my IP to access wp-admin and all other IPs will be blocked

I guess this should do the work, but what is still unknown to me, since I didn’t find any mention of it in the CF help, is which of the CF checks/defences will still be applied to any IP that is allowed to pass the Lockdown Zone, as I need to know that I don’t give everyone a “free ticket” to attack /wp-admin/admin-ajax.php

Anyone can tell me? or suggest a better idea to achieve this goal?


I am not really sure, but from what I know setting all IPs as whitelisted will do just what you are thinking, will them do whatever they want. I would really consider doing the Access thing setting a bypass for the paths you don’t want protected and/or a bypass for your IP for the other paths. It would allow you to access the admin page remotely via login, at home/office directly and block everyone else.

1 Like

Well, Alexander from CF support nailed it with the following answer:
Instead of using zone lockdown, I would recommend using Cloudflare Firewall Rules:
(http.request.uri ne “/wp-admin/admin-ajax.php” and http.request.uri.path eq “/wp-admin” and ip.src ne YOUR_API_ADDRESS) → BLOCK

I used “not contain” and “contain” instead to catch more input options.


Yeah, that is a great answer! I never think of Firewall Rules for some reason… They are the best!

This topic was automatically closed after 30 days. New replies are no longer allowed.