Use CloudFlare Page Rules to Protect WordPress from Brute Force Attacks

I have talked about CloudFlare before and there are many reasons why you should use them, from helping to speed up your website to making it easy to monetize your website using Viglink. If none of those reasons convinced you why you should use CloudFlare perhaps this one reason alone will help convince you. You can use CloudFlare page rules to protect your WordPress powered website!

One of the great things CloudFlare has introduced is page rules. You can define a page rule to have different rules from the rest of your website. To help protect your WordPress website from a brute force attack, where usually an automated bot, hits your wp-login.php page again and again and again trying to get entry you can simply create a page rule in CloudFlare to protect the page. This can slow and often stop the brute force attack because the bots will either be stopped dead by the CloudFlare check or slow them down so much that it will take them much longer to actually try to login.

Free accounts with CloudFlare only get three page rules, and you will need two of them to protect your wp-login file. You might be able to get this down to one if you do some .htaccess redirects but to keep it simple lets stick with the two CloudFlare page rules. The two page rule URL patterns I have been using for the WordPress login page are:

example.com/wp-login.*
*.example.com/wp-login.*

You have to enter each one separately but it is much easier than trying to do this through .htaccess. The important part after you have added a page rule URL match is in your rules make sure you turn the Security and Browser Integrity to ON and set the Security Level to Help, I’m Under Attack.

cloudflare-page-rules

This will cause CloudFlare to closely inspect every visit to your wp-login.php page. This will also slow you down when you go to login to your website unless you whitelist your IP address with CloudFlare. Then you will bypass this and be sent straight to the login.

cloudflare-wp-login

This will not totally protect your WordPress website but it will provide an extra layer of protection from brute force attacks. It is still important to use strong passwords, keep your WordPress install up to date and you can try some plugins that limit the number of login attempts.

3 Responses to Use CloudFlare Page Rules to Protect WordPress from Brute Force Attacks

  1. Anudeep says:

    Thanks for the tip LGR! I have installed ‘limit login attempts’ plugin and was literally shocked to see that bots were trying to get access to the site everyday.
    With cloudflare page rules i think the number will go down. Will keep updated on the issue.

  2. Paul says:

    I use the w3 total cache and All In One WP Security & Firewall with cloud flare, dont know if I can do any better than that. Would like to know what think?

    • LGR says:

      Sounds like a good combination especially if you are on a shared server. Hard to do some more advanced security unless you are on your own server.

Leave a reply