Zonelock down not working as expected


I have the wp-admin and wp-login.php both locked down to my IP address. This works just fine. No issue.

However, I have just made a discovery.

If I log into my hosting provider who is using cPanel litespeed and the softaculous installer and I go to login to my site from here. It totally bypasses the lockdown rule and my site can be accessed.

Is this expected behaviour?

Do you have a DNS record like A cpanel at the DNS tab of Cloudflare dashboard for your domain name?

Furthermore, did you accessed with or or even via port

There is a way to present the “access denied” to all 3 cases.
However, you whould have to create a Firewall rule to block those kind of type of requests, for example if the request contains host sub-domain like, or if request contains path like cpanel, also or if port not in 80 443, including locking by your IP. A combination of OR and you might have to use “Expression editor” if you’d like to block ports other than 80 443 for example.

A better approach would be, remove cpanel hostname and use your hosting provider interface to access your website, like or port or

Nevertheless, there were some issues users experienced like CF WAF page and similar while using a proxied :orange: cpanel hostname in the DNS tab of CF dashboard for their domain name.

Regarding wp-admin, you could use Cloudflare Access for it, rather than locking it by your IP - which I guess, changes on each router restart or every XY hours due to the DHCP (otherwise you’re using a static one or a VPN connection over the same IP).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.