What's the correct way of protecting WordPress login

I don’t know why all the result from Google are referring to this expression:

(http.request.uri.path contains "wp-login.php") or
(http.request.uri.path contains "wp-admin/" and not 
 http.request.uri.path contains "wp-admin/admin-ajax.php" and not
 http.request.uri.path contains " wp-admin/theme-editor.php")

This is not working because WordPress will redirect to domain.com/wp-admin after login and which has been blocked by CloudFlare. But if I don’t block wp-admin, it allow hackers to visit the login page.

What’s the correct way of doing this?

Hi @user17647,

Personally, I would use Cloudflare Access on the login/admin page.


The optimal way would be implementing zero trust.


I’d do only where the password gets posted to which might be wp-login.php

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.