Why Secure Your WordPress Admin with Cloudflare?
Cloudflare adds a powerful security layer between your website and the internet. It helps stop attacks before they reach your hosting server — making it an excellent way to protect /wp-admin and /wp-login.php.
1. Use Cloudflare Firewall Rules
Go to Cloudflare Dashboard → Security → WAF → Firewall Rules and create a new rule:
(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin")Action: Challenge (Captcha) or Allow only specific IPs.
2. Restrict Access by IP
If you know your static IP, restrict admin access to only that IP. Example expression:
(http.request.uri.path contains "/wp-admin") or (http.request.uri.path contains "/wp-login.php") and not ip.src in {123.45.67.89}This ensures only you can log in — everyone else gets blocked.
3. Enable Cloudflare Access (Zero Trust)
Use Cloudflare Zero Trust Access to require identity-based authentication before accessing WordPress admin pages:
- Go to Zero Trust Dashboard → Access → Applications → Add an Application.
- Choose Self-Hosted and protect
example.com/wp-admin/*andexample.com/wp-login.php. - Require login with Google, GitHub, or One-Time PIN.
This adds enterprise-grade security for free or low cost.
4. Use Rate Limiting
In Security → WAF → Rate Limiting Rules, limit login attempts to prevent brute-force attacks:
If URI Path contains: /wp-login.php
Action: Block or Challenge
Threshold: 5 requests per minute per IP5. Turn On Bot Protection
Enable Bot Fight Mode (Free plan) or Bot Management (Pro/Business plans) under Security → Bots. This stops malicious bots from accessing your admin area.
6. Use Full (Strict) SSL
In SSL/TLS → Overview, ensure settings are:
- SSL Mode: Full (Strict)
- Always Use HTTPS: ON
- Automatic HTTPS Rewrites: ON
This ensures encrypted traffic between Cloudflare and your origin server.
7. Bypass Caching for wp-admin
Create a Page Rule or Cache Rule to exclude admin pages from caching:
*example.com/wp-admin/* → Cache Level: Bypass8. Under Attack Mode (Optional)
If your site is under attack, turn on Under Attack Mode in Cloudflare. It adds a JavaScript challenge to all requests, blocking malicious floods instantly.
✅ Summary: Cloudflare WordPress Admin Security Checklist
| Layer | Method | Benefit |
|---|---|---|
| Firewall Rule | Challenge /wp-login.php | Stops bots |
| IP Restriction | Allow only your IP | Prevents unauthorized access |
| Zero Trust Access | Identity verification | Enterprise-grade protection |
| Rate Limiting | Limit brute-force attempts | Prevents password guessing |
| SSL Full (Strict) | Encrypt all traffic | Secure data transfer |
| Bot Management | Block bad bots | Reduce spam traffic |
| Bypass Cache | For admin pages | Prevent conflicts |
By combining Cloudflare’s firewall, Zero Trust access, and SSL settings, you can make your WordPress admin area nearly impenetrable to attackers.
Leave a Reply