Wordpress protection

I look after a not for profit rowing club website in the UK, recently the website keeps getting attacked from “certain countries” they keep trying to get to the Wordpress xmlrpc and wp_login pages as well as submitting junk successfully through contact forms which are already protected with reCaptcha and hCapture.

I did have a rule which sent all countries except the UK to the JSChallenge screen but that stopped me from using the Wordpress app on my phone and broke jet pack.

Are there any rules I can apply to protect the site on the free tier (as the club cannot afford the pro costs) or send all other countries to block or challenge but whitelist the Wordpress app addresses or does it change based on my phones IP address?

Cloudflare is set as the name server

Many thanks.

I’d suggest you to block any request to the path xmlrpc.php via Firewall Rule, otherwise disable it in WordPress (or via plugin, or in functions.php).

I’d suggest you to either:

  1. Create a Firewall Rule and make sure to present JS Challenge for each request on the wp-login.php path
  2. Add Google reCaptcha on the login form via plugin
  3. Limit countries which can access, while other’s will be presented with the Cloudflare’s 1020 error page

The other way would be to configure and use Cloudflare Access for WordPress admin dashboard:

There are plenty of options available, we just have to figure out the best possible combination of them to get the best end-result for our case. Since it’s related to the WordPress, kindly take a look at the post from below for good and working examples:

1 Like

Many thanks for the fast response, I didn’t want to disable the xmlrpc because that means I cannot add posts on the go using the Wordpress iPhone app, but I wondered if there was a set of ip addresses I could whitelist and block the others?


That has to be through firewall. @fritex has already posted the article in the thread how to achieve it using ip range. You may check this post for example & answer by the #ExpertReply :

For more, :search: in the forum for the answers.

1 Like

Many thanks for the advice, with this an a bit of research, I’ve managed to configure 3 rules which seem to be working well, in Security > WAF

Sharing in case it helps others.

  1. Block Attacking Countries
    (ip.geoip.country in {“CN” “JP” “RU”}) then BLOCK

  2. Block non Jetpack
    (ip.geoip.asnum ne 2635) and (http.request.uri contains “wp-login” or http.request.uri contains “xmlrpc”) then BLOCK

  3. Challenge non UK
    (ip.geoip.asnum ne 2635 and not ip.geoip.country in {“GB” “IE”} and not cf.client.bot) then MANAGED CHALLENGE

I can see the bad requests now being blocked and the Wordpress App on my phone is still working.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.