Zonelock down not working as expected

Hello

I have the wp-admin and wp-login.php both locked down to my IP address. This works just fine. No issue.

However, I have just made a discovery.

If I log into my hosting provider who is using cPanel litespeed and the softaculous installer and I go to login to my site from here. It totally bypasses the lockdown rule and my site can be accessed.

Is this expected behaviour?

Do you have a DNS record like A cpanel at the DNS tab of Cloudflare dashboard for your domain name?

Furthermore, did you accessed with cpanel.example.com or example.com/cpanel/ or even via port example.com:2083?

There is a way to present the “access denied” to all 3 cases.
However, you whould have to create a Firewall rule to block those kind of type of requests, for example if the request contains host sub-domain like cpanel.example.com, or if request contains path like cpanel, also or if port not in 80 443, including locking by your IP. A combination of OR and you might have to use “Expression editor” if you’d like to block ports other than 80 443 for example.

A better approach would be, remove cpanel hostname and use your hosting provider interface to access your website, like hostingdomain.com/cpanel/ or port or cpanel.hosting.com.

Nevertheless, there were some issues users experienced like CF WAF page and similar while using a proxied :orange: cpanel hostname in the DNS tab of CF dashboard for their domain name.

Regarding wp-admin, you could use Cloudflare Access for it, rather than locking it by your IP - which I guess, changes on each router restart or every XY hours due to the DHCP (otherwise you’re using a static one or a VPN connection over the same IP).