Secure Your WordPress Login: How to protect wp-login.php with Cloudflare
Your WordPress login page, i.e. wp-login.php is the main entry point into your WordPress admin area. While you can use a security plugin that can let you rename your site, I prefer protecting my sites at the server level, or even better, before it can hit the server.
I’ve been using Cloudflare on my sites for a very long time and one effective way to enhance the security of your wp-login.php is by using Cloudflare’s Configuration Rules feature. This article will guide you through the steps to safeguard wp-login.php using Cloudflare, ensuring your site remains secure and less vulnerable to attacks.
Why Protect wp-login.php?
The wp-login.php page is a common target for brute-force attacks. Hackers attempt to gain access by trying multiple username and password combinations. Protecting this entry point is essential to prevent unauthorised access. Using Cloudflare we will stop the brute force attacks, particularly as they are driven by automated scripts.
Step-by-Step Guide to Protect wp-login.php with Cloudflare
1. Set Up a Cloudflare Account
First, if you don’t have a Cloudflare account, sign up at Cloudflare. Add your website and follow the prompts to change your DNS servers to those provided by Cloudflare. While Cloudflare does have paid plans from $20 per month with several extra features, the free plan is perfect for the below.
2. Create a Cloudflare Configuration Rule
Head over to Rules > Configuration Rules and then hit the big button that says “Create rule“.
Give your rule a description name e.g. “Protect wp-login.php”.
3. Configure Incoming Requests
Under When incoming requests match, select Custom filter expression.
- Under Field select “URI“
- Under Operator select “contains“
- Under Value enter “wp-login“
Cloudflare automatically gives you the Expression Preview as you can see in the above screenshot. We don’t need to change them.
4. Set Security Level
Under “Then the settings are“, scroll down to the section that says “Security Level” and select “I’m Under Attack“.
Cloudflare’s I’m Under Attack mode performs additional security checks to help mitigate layer 7 DDoS attacks. Validated users access your website and suspicious traffic is blocked. It is designed to be used as one of the last resorts when a zone is under attack (and will temporarily pause access to your site and impact your site analytics). When enabled, visitors receive an interstitial page.
5. Deploy your rule
To save and deploy your rule, select Deploy. If you are not ready to deploy your rule, select Save as Draft.
6. Test the rule
You can test that the rule is working, by either logging out of your site or opening up an Incognito/Private window and navigating to the /wp-login.php URL of your site.
Conclusion
By following these steps, you can significantly enhance the security of your WordPress login page using Cloudflare. Regularly monitor your site’s security settings and update them as necessary to stay ahead of potential threats. Protecting wp-login.php is a crucial step in safeguarding your WordPress site from unauthorised access and brute force attacks.