Wordpress wp-login.php block rule not working

I did some searching on here to find the solution but didnt come up with what I needed or anything that worked.

My WP web site is solely administered by me with no users other than myself so I am the only one logging and needing access to wp-admin or wp-login.php. I found an online rule tutorial to set things up to only allow my source IP address (which is static) to access these URLs, but its only working about 50%.

The wp-admin rule in this set is working fine. If I try to connect to wp-admin via my DHCP cell phone (as my test guinea pig), I get the Cloudflare denial page as I should. However if I go to the domain.com/wp-login.php page in this rule, the page loads fine every time even though I should only be allowing access from my source IP.

So not sure why this works fine in the top half of the rule but not the bottom half. Any ideas? The only WAF I have above this rule is a country code blocker.

Any help greatly appreciated. Thanks!

Your WAF rules should work as desired: I’ve just created the same rules, and all requests to both /wp-admin/ and /wp-login.php (except from my IP and for the admin-ajax URI) are blocked.

Looking at your “Expression Preview”, it seems you have a space in front of the /wp-login.php value – which may be why that rule isn’t triggering. Please check and remove the space if there is one.

1 Like

Welp its official. I am a complete moron. That was it. I must have copy/pasted it incorrectly rather than type it out, but I swore I even typed it out by hand. Crisis averted! New to Cloudflare and still getting my feet wet so not the first time I have slipped on a banana peel – won’t be the last.

Thanks for your prompt help!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.