I have the wp-admin and wp-login.php both locked down to my IP address. This works just fine. No issue.
However, I have just made a discovery.
If I log into my hosting provider who is using cPanel litespeed and the softaculous installer and I go to login to my site from here. It totally bypasses the lockdown rule and my site can be accessed.
Is this expected behaviour?
Do you have a DNS record like
A cpanel at the DNS tab of Cloudflare dashboard for your domain name?
Furthermore, did you accessed with
example.com/cpanel/ or even via port
There is a way to present the “access denied” to all 3 cases.
However, you whould have to create a Firewall rule to block those kind of type of requests, for example if the request contains host sub-domain like
cpanel.example.com, or if request contains path like
cpanel, also or if port not in
80 443, including locking by your IP. A combination of OR and you might have to use “Expression editor” if you’d like to block ports other than 80 443 for example.
A better approach would be, remove cpanel hostname and use your hosting provider interface to access your website, like
hostingdomain.com/cpanel/ or port or
Nevertheless, there were some issues users experienced like CF WAF page and similar while using a proxied
cpanel hostname in the DNS tab of CF dashboard for their domain name.
Regarding wp-admin, you could use Cloudflare Access for it, rather than locking it by your IP - which I guess, changes on each router restart or every XY hours due to the DHCP (otherwise you’re using a static one or a VPN connection over the same IP).