What's the correct way of protecting WordPress login

user17647 · January 7, 2022, 2:28pm

I don’t know why all the result from Google are referring to this expression:

(http.request.uri.path contains "wp-login.php") or
(http.request.uri.path contains "wp-admin/" and not 
 http.request.uri.path contains "wp-admin/admin-ajax.php" and not
 http.request.uri.path contains " wp-admin/theme-editor.php")

This is not working because WordPress will redirect to domain.com/wp-admin after login and which has been blocked by CloudFlare. But if I don’t block wp-admin, it allow hackers to visit the login page.

What’s the correct way of doing this?

domjh · January 7, 2022, 2:29pm

Hi @user17647,

Personally, I would use Cloudflare Access on the login/admin page.

jnperamo · January 7, 2022, 2:30pm

The optimal way would be implementing zero trust.
https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/

MrCloud · January 9, 2022, 9:19am

I’d do only where the password gets posted to which might be wp-login.php

system · January 12, 2022, 9:20am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.