I look after a not for profit rowing club website in the UK, recently the website keeps getting attacked from “certain countries” they keep trying to get to the Wordpress xmlrpc and wp_login pages as well as submitting junk successfully through contact forms which are already protected with reCaptcha and hCapture.
I did have a rule which sent all countries except the UK to the JSChallenge screen but that stopped me from using the Wordpress app on my phone and broke jet pack.
Are there any rules I can apply to protect the site on the free tier (as the club cannot afford the pro costs) or send all other countries to block or challenge but whitelist the Wordpress app addresses or does it change based on my phones IP address?
I’d suggest you to block any request to the path xmlrpc.php via Firewall Rule, otherwise disable it in WordPress (or via plugin, or in functions.php).
I’d suggest you to either:
Create a Firewall Rule and make sure to present JS Challenge for each request on the wp-login.php path
Add Google reCaptcha on the login form via plugin
Limit countries which can access, while other’s will be presented with the Cloudflare’s 1020 error page
The other way would be to configure and use Cloudflare Access for WordPress admin dashboard:
There are plenty of options available, we just have to figure out the best possible combination of them to get the best end-result for our case. Since it’s related to the WordPress, kindly take a look at the post from below for good and working examples:
Many thanks for the fast response, I didn’t want to disable the xmlrpc because that means I cannot add posts on the go using the Wordpress iPhone app, but I wondered if there was a set of ip addresses I could whitelist and block the others?