I currently have my WP-Admin and WP-Login WAF’d by a IP-only rule for my static home computer which is great b/c Im the only access point, however I have other employees from time that need access to the WP back end and are on static IPs/travel a lot. They need access. I tried to set up a Zero Trust application and group but in testing Im having trouble getting it to work. It’s not displaying the challenge poster for the one-time code. In other words its as if nothing is happening and I browse to the URLs with no trouble.
In testing I have turned off my WAF rule that blocks everyone except me so the world can access the WP-Admin and WP-Login.
In Zero Trust I:
Created an Access Group named “WP-Admin” with email addresses to constitute the users I will grant one-time access to
Created a Self-Hosted Application named “WordPress WP-Admin”, Allow, 1-Week Duration, domain: domain.com, path: /wp-admin
Application Appearance Enabled App in App Launcher OFF, Use default domain, added custom logo URL
Blocked Pages: Cloudflare default for identity and non-identity
Still messing around with this and cant get it to work. The Zero Trust email one-time-pin poster never shows on WP-Admin. Hmmmmm, Any ideas? Do I have a setting wrong somewhere?
Im at my wit’s end with this. I have done absolutely everything the instructions say to do, have configured things 5-6 times, and the Cloudflare Access just refuses to run and display on the wp-admin page I am trying to protect. I only wish I was having email issues like others because at least they are getting the Access to show up to begin with.
I cant believe Im the only one unable to get this application to work – at all. Its as if nothing I do has any affect on anything. Ive watched a half dozen “how-to” videos. Im out of ideas. Ive been around computers, servers, and IT for 30 years so Im not a blind novice at technical stuff. Help.
I notice that my web site’s IP address is 170.x.x.x in Cloudflare DNS settings which is indeed my shared IP address from my hosting platform, but when I ping my domain, I get 104.x.x.x.
Not sure where the 104.x.x.x is coming from. One person told me this is Cloudflare doing its thing. Is this a potential reason for my troubles getting ZeroTrust to work properly?
Just an idea. I believe /wp-admin redirects you to /wp-login.php. If this redirect is cached by your browser, it would obviously not work, as the /wp-admin path would be bypassed entirely.
Could you check if this is the case on your site, and maybe try from a private browser window?
If that doesn’t work, can you maybe create a very simple application for a path that you don#t use (i.e. /whatever*)? No groups, no temp auth, nothing, just a simple allow everyone policy.
If that works, add the features you want to use one by one.
I believe I have tried that wp-admin* syntax too with no luck, as well as attempt to block a random static page. Let me try a simpler application rule set on a generic page and see what happens. Not optimistic but Ill report back. Thanks for help.
I sitll cant get this to work. Not even on a sample test page URL. Am I just stupid or is there some major setting – perhaps server or host side – Im not accounting for?
I have tried using email address groups on the policy page (currently unchecked), a simply @domain.com rule, etc etc. Im absolutely empty of ideas at this point. When I say its not working, its NEVER even remotely worked. I have never once seen a Zero Trust policy access page appear on any page of my site when testing.
I am also testing on a generic 5G IP address and not my static IP address I normally connect with that has some WAF rules in place to access wp-admin. This cloudflare test page is just a generic page and so it should be working for everybody that hits it, but at least Im using 5G on my phone to test with to ensure its truly a generic connection and not some other Cloudflare rule set up elsewhere thats preventing it from working.
I gotta get this working. The lack of functionality is killing me. I cant believe I am the only person in the world that seems to be having zero results with zero trust. Ive been in IT and computing for nearly 30yrs so Im not a complete ignoramus.
