Whitelisting Cloudflare IPs in htaccess blocked my Wordpress login (403 Forbidden error)

Hi, everybody!

I’m using Cloudflare nameservers and I’m trying to whitelist Cloudflare IPs through htaccess file as advised in CF documentation, but it results in a 403 Forbidden error for my Wordpress login.

Here are the directives I used in htaccess file:

# Apache 2.2: Whitelist Cloudflare IPs
<IfModule !authz_core_module>
Order Allow,Deny
Allow from 173.245.48.0/20
Allow from 103.21.244.0/22
Allow from 103.22.200.0/22
Allow from 103.31.4.0/22
Allow from 141.101.64.0/18
Allow from 108.162.192.0/18
Allow from 190.93.240.0/20
Allow from 188.114.96.0/20
Allow from 197.234.240.0/22
Allow from 198.41.128.0/17
Allow from 162.158.0.0/15
Allow from 104.16.0.0/12
Allow from 172.64.0.0/13
Allow from 131.0.72.0/22
</IfModule>
# Apache 2.4+: Whitelist Cloudflare IPs
<IfModule authz_core_module>
<RequireAll>
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
</RequireAll>
</IfModule>

This blocked me from login in Wordpress, so I tried to add this along with the above directives:

<Files wp-login.php>
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
</IfModule>
</Files>

But this didn’t work!

Any advice please?

Thank you very much.

That rather is a question for StackExchange and alike than here, I am afraid.

However, I’d generally advise against that approach and rather use the system’s network firewall, as otherwise you wont be able to rewrite the IP addresses and only Cloudflare addresses will show up in your log files. You could manually extend the logging to include the header in question, but any dynamic code (e.g. PHP) would still get the Cloudflare addresses instead.

Thanks, Sandro, for your quick reply.

Sorry, do you mean that I would need to create a firewall rule in Cloudflare Firewall section?

As for StackExchange, I will try it later if I can’t resolve the issue here.

I would recommend you try it straight away there, as the question really is not Cloudflare specific but only related to Apache.

I was referring to the firewall of your server, for aforementioned reasons you better block the connections there than in Apache’s configuration.

OK, Sandro. Thank you very much.

I’ll go to StackExchange; it’s just I think that Cloudflare documentation about whitelisting CF IP addresses isn’t that much detailed and explicit!

Anyway; Thank you for your advice and explanation.

This topic was automatically closed after 30 days. New replies are no longer allowed.