Cloudflare released their WAF (Web Application Firewall) to the free accounts and now you can protect your WordPress admin area to specific countries or specific IPs for free. You can check the article Protect Your Website With Cloudflare Free WAF for more details about Cloudflare free WAF.
There are a lot of attacks that are directed at logging in to WordPress so you may want to protect the admin area access to a specific country or a specific public IP. This will block the requests that are made to wp-admin that are not allowed. In case you want an alternative to protect your wp-admin area you can check MalCare Review, a plugin that will help protect your website for free.
In the free Cloudflare WAF, you have 5 firewall rules that you can use to make your WordPress installation more secure and we will use one of these rules to limit access to the WordPress admin area.
Basic Firewall Rule Configuration
Let’s see the exact steps you need to do to restrict the access to the wp-admin area first to a specific country and then to a specific IP address, or in any way you want. The rule will have the wp-login.php also blocked, basically this is the path WordPress will use when you will try to login to your WordPress admin area.
1. Access the Cloudflare WAF Section
The first thing to do is to go and access the Cloudflare security area where we have the WAF. To do this just log in to Cloudflare and just navigate to the website that you want to restrict access to, and choose Security – WAF
In the WAF section under Firewall Rules hit Create Firewall Rule just as in the below picture:
2. Restrict Access To wp-admin and wp-login.php
In this section, we need to add the paths that we want to have blocked by Cloudflare WAF. In this case, we will use a combination of wp-login.php and wp-admin.
- Field: URI Full
- Operator: equals
- Value: https://yourwebsite.com/wp-admin
- Field: URI Path
- Operator: contains
- Value: /wp-login.php
You should see the following in the Expression Preview section.
(http.request.full_uri eq "https://yourwebsite.com/wp-admin") or (http.request.uri.path contains "/wp-login.php")
As in the below picture:
You need to replace your yourwebsite.com with the website you have.
To explain what the rules are doing we have chosen to block the full path to wp-admin with URI Full, we didn’t use the URI Path as there are some plugins and themes that are using the /wp-admin/admin-ajax.php and we don’t want to block it. You can also make a combination to block everything with wp-admin and allow only certain paths. In this case, I will use the full URL as it’s safer.
The second rule added with OR is to block everything that contains wp-login.php.
3. Allow Access to specific IP or Country
What we did so far is to tell Cloudflare to block our ways to log in to WordPress in these steps we will tell what needs to be allowed. To do this we need to go into the Tools in the Security area of Cloudflare and allow your country or IP address. Adding them here will bypass the previous restriction and allow them.
To add a country you just search the country in IP, IP range, country name, or ASN and allow it to use the website.
For IP you need to see what public IP you have on a website like showip and add it in IP, IP range, country name, or ASN and allow it. You can add IP ranges also if you have your ISP provider range as the public IP can change.
The Cloudflare WAF will only work if your website is proxied thru CloudFlare so you need to use their CDN. You need to keep in mind this aspect.
Cloudflare it’s offering a free option that you can use to restrict access to your WordPress website admin area and better secure your website. If you don’t have another way already I recommend starting using Cloudflare as it’s free and doesn’t hurt to have an extra layer of protection.