Protecting wp-login.php using Cloudflare Firewall for Free!

By adding a Firewall rule in Cloudflare, you can protect your WordPress login page from public access. If you use this Cloudflare WAF protection, you need not use any other service against Brute-Force. The process is very simple. As soon as you add the Firewall rule, your wp-login.php is instantly protected from intruders.

If you want to know other ways to protect wp-login.php, follow with this article on Protecting the wp-login.php against Brute Force.

It is obvious that your domain must be pointed to a hosting service through Cloudflare. Else this firewall rule cannot be applied. If you need any help regarding adding Cloudflare protection to your site, read this article on Three ways to Point your Domain to Cloudflare.

All the steps to be followed are neatly explained, if this article was useful, let us know in the comments.

Let’s open the Firewall Tab for the corresponding domain, we shall add our first Firewall Rule as below. Here I have added a Cookie with the name, ilike=wpclimax. You can add whatever you want. Keep it simple.

Block WP Login Cloudflare Firewall

Once the Firewall Rule is set, try logging to your site in a Guest Window by accessing /wp-admin. You should get the Cloudflare 1020 Error, Access Denied.

If wp-login.php is not blocked, you must recheck your steps. If you have any other firewall rule active, temporarily disable it.

So, now we have blocked the access. How do you login to your site now? Let’s add another rule to let you login.

Note: Even without the Allow Cookie, you will be able to access your site if you just add the predefined Cookie to the Browser. But we prefer adding one more cookie with Allow Rule

Allow WP Login Cloudflare Firewall

I will explain what Cloudflare Firewall is doing. According to the first rule, if it cannot find the cookie with name and value, ilike=wpclimax, it will block everyone accessing wp-login.php.

When it finds the right cookie in the user’s browser, it will allow access to the wp-login.php page. Simple!.

As mentioned, you can just use the Block Rule only. As per our tests, we ran into some issues with some of our custom pages. Hence when Allow Rule was added, everything got resolved. Please try from your side and let us know your experince.

Now in order for you to access your site, you need to add the cookie to your Web Browser which you have preset in the Firewall rule. To achieve this you can add the cookie manually through Inspect> Application> Storage > Cookies. We recommend using any chrome/ firefox Cookie Editor extensions.

Once the extension is installed, add the cookie to it as shown below.

Adding Cookie in Chrome Extension

Set an expiry date if you don’t want to enter cookies every time you login. When you clear the cache, the cookie will also be cleared.

Once added, if you refresh the page where you got the 1020 error, you can see you will be taken to the login screen. If you face problems, please be patient and recheck the steps. Keep only the rules that are necessary for the Firewall. In our case, we have kept only two rules active.

More important is to keep the Allow Rule above the Block Rule. The firewall should check whether any request should be allowed or not. If the first rule itself says to block it, there is no point, Firewall will execute the second.

Cloudflare Firewall Rule Order wp-login-php

Once you protect your wp-login.php with Cloudflare firewall, let us know if you used the 2 rule method or single rule method by combining both the conditions in a single rule.

There is one more method to achieve Cloudflare protection for wp-login.php instead of the Cookie method. If you own a dedicated IP for your internet connection, that’s glad to know. In the above rules, add IP instead of Cookie.

If you would like to block your whole site for others except yourself, you can follow this article on How to Block your Website for Others, except yourself?

When you block wp-login.php through Firewall, you may still see Brute-Force attempts. That is simply because your xmlrpc.php is not blocked. Block /xmlrpc.php with another Cloudflare Firewall rule, don’t add any condition, just block it and forget about it. There will be NO more Brute force attempts.

Congratulations! Your site is now more secure than before. For any questions, comment below. We would love to answer.

Please note that our product recommendations are unbiased and targetted to be user-friendly. If you have any recommendations which isn't listed on our site, please feel free to contact us. We would be happy to review it.

Hey Don't Worry! The Email entered will NOT be used for sending NewsLetters. We respect your Privacy 🙂

Inline Feedbacks
View all comments