Wordpress WAF question wp-login.php getting hammered

A client phoned me this morning to tell me their site was down, I checked on the server and it was a load issue because a single IP address was hitting /wp-login.php multiple times per second. I’m on the Cloudflare Pro plan and have WAF turned on with the Cloudflare Wordpress rule set enabled. Under the page rules section I also have a rule that matches *example.com/wp-login* which sets the security level to high and turns on browser integrity check. However neither of these blocked it.

Am I doing something wrong? do I need to enable extra rules inside the Cloudflare Wordpress ruleset (for example 100000 Wordpress - DoS - Numbers Botnet? does anyone know where I can get details on what these rules do other than by contacting support?

I know you can do rate limiting but I believe that cost extra and this seems more like it should fall under the WAF rules, I could install fail2ban on the server but it would be nice if Cloudflare were to block this before it gets there.


You can create a Firewall Rule specific for that path with a Captcha:

If URI_Path equals /wp-login.php

Alternatively, you could block that IP address with the same tool. (Dashboard > Firewall > Firewall Rules)

Rate limiting might be useful here.
Alternatively, you can create a Firewall Rule matching that url (/wp-login.php) with action JS Challenge.

Thanks both for your comments, I have blocked the specific IP but this site gets attacked often so I want an automated solution. Rate limiting is one potential but it costs extra and I want something more intelligent that just challenging anyone who goes to the wp-login page, there are a large number of legitimate users and making multiple requests to the wp-login per second over a sustained period from a single IP seems like something that should fall under DoS protection in the WAF somehow?

I use a plugin for wordpress that rewrites wp-login.php to another string, i.e. ‘/login’ or ‘/access’. That way most of the automated rubbish out there doesnt hit the actual login page. Then, for fun, I have a page rule that redirects ‘/wp-login.php’ to www.google.com.

Also, rate limiting - throttle the number of attempts - will help tremendously. Finally, a firewall rule as mentioned with JS Challenge will help without needing the users to do a captcha each time.

And also, this site is orange clouded right?

Yes it is orange clouded, thanks all for your feedback but I think the short answer to my question is no. These all seem like work arounds for something that should be covered under a simple DoS protection in WAF, will contact support and ask for a description of what the various DoS rules do in WAF.

You can use Cloudflare Access to protect your endpoint with zero trust security.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.