Restricting access to WordPress Admin with Cloudflare WAF Rules

By IanSysadmin

When using Cloudflare you get many security features that help protect your website/application and web server from the wider internet. One of those features if WAF (Web Application Firewall) which allows you to restrict access to your server at Cloudflare before it even hits your network. You can use this in the free version for up to 5 Firewall rules before you need to purchase a package.

To set up a WAF firewall rule with Cloudflare you need to log into your account and go to “Security>WAF” and then click “Create firewall rule”. Then you can create a rule that blocks access to your WordPress admin pages except from a certain IP Range of your choice. If you use the “is not in” you can list multiple IPs or IP ranges along with the URI path. Finally make sure you choose the action as “Block”.

Then you’ll need to allow a few pages to bypass this block which is used to serve up some of the user content and for functionalility. Create another rule to allow access to the “/wp-admin/admin-post.php” & “/wp-admin/admin-ajax.php” pages. Make sure this time you select “Allow” as the action type.

Back on the Firewall/WAF home page you can now see the rule is active and it will show you the amount of blocked attempts in the last 24 hours.

If a user then goes to the page and is not in that allowed list they will get an Access denied message.

One thought on “Restricting access to WordPress Admin with Cloudflare WAF Rules

  1. Pingback: Updating dynamic IP in Cloudflare WAF rule on Linux – icollins.co.uk

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.