What's the correct way of protecting WordPress login

I don’t know why all the result from Google are referring to this expression:

(http.request.uri.path contains "wp-login.php") or
(http.request.uri.path contains "wp-admin/" and not 
 http.request.uri.path contains "wp-admin/admin-ajax.php" and not
 http.request.uri.path contains " wp-admin/theme-editor.php")

This is not working because WordPress will redirect to domain.com/wp-admin after login and which has been blocked by CloudFlare. But if I don’t block wp-admin, it allow hackers to visit the login page.

What’s the correct way of doing this?

Hi @user17647,

Personally, I would use Cloudflare Access on the login/admin page.

3 Likes

The optimal way would be implementing zero trust.
https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/

5 Likes

I’d do only where the password gets posted to which might be wp-login.php

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.