You are currently viewing Cloudflare secure WordPress

Cloudflare secure WordPress

Securing WordPress with Cloudflare is easier than you think. But “wp-admin” alone is not enough. Here’s how!

There are basically two ways to protect the administration areas of WordPress. Both methods have specific advantages and disadvantages – but it depends on what you want to achieve.

Cloudflare can be used free of charge for this purpose, but you will need to set up an account.

To secure and control the entire WordPress administration area, you should focus on the following four points:

  • wp-admin
  • wp-login
  • xmlroc.php
  • admin-ajax.php

Weg 1: WAP | Web Application Firewall

The WAP (Web Application Firewall) allows you to block applications and thus block access in a targeted manner.

However, to be able to continue accessing your WordPress applications, you must create a rule that allows you this access.

This is usually done by enabling certain IP addresses. The IPv6 address is preferred here, as this usually remains (or should remain) unchanged. Alternatively, a static IPv4 address can also be used.

Advantage: No verification when logging in

Disadvantage: Access only if the access criteria are met.

Weg 2: Self-hosted Applikation

With a self-hosted application, you can set up pre-verification before you get to the actual WordPress login. Here we use two-factor authentication (2FA), which must be completed before accessing your system – i.e. still at the Cloudflare level.

Advantage: Only registered users are able to use 2FA authentication.

Disadvantages: Depending on the settings, frequent login, with email code or other authentication methods.

General information

We will focus here on the second method, the self-hosted application, as it allows us to outsource certain tasks. You can find detailed instructions on how to set this up in the linked video.

A link to the detailed setup of a tunnel can be found below. A solution via VPN is not suitable in this context and is therefore not recommended. However, if required, you can find an article on Cloudflare VPN setup on my homepage.

Video: Cloudflare secure WordPress

Language: 🇩🇪
☝️ Use YouTube subtitles for all languages.

Procedure for protecting WordPress

Authentication

After logging in to Cloudflare, first select “Zero Trust” on the left.

Then go to “Settings” and check the “Login methods” under “Authentication“. “One-time PIN” should be set here. If this is not the case, add this method. Alternatively, you can also choose another method, but in this guide we use “One-time PIN“.

Set up application

Your first step is now to select “Add application“.

Use “WP Admin Test” as the application name for this first application.

Then go to “Create additional rules“.

Select the “Email” option under “Selector” and enter all email addresses that should be authorized under “Value“. Multiple email addresses can be separated by a comma “,”.

… Save and continue with “Next” at the bottom right.

You can skip this page with CORS and and Cookie Settings.

… Save and continue with “Next” at the bottom right.

You will now return to the overview, where the “WP Admin Test” application is displayed.

You have now created “wp-admin“. Repeat this process for the three other applications: “wp-login“, “xmlrpc.php” and “admin-ajax.php“. All four WordPress applications should then be displayed in the overview.

Tripping hazards !!!

If you now go to https://deine-domain.de/wp-admin, the Cloudflare login window will appear, as shown in the video.

However, if you go to https://www.deine-domain.de/wp-admin, you will be taken directly to the WordPress login. This is not a bug, but a technical issue: The domain is treated differently with and without “www”.

Carry out the “Set up application” step again and enter “www” for the “SUB domain“. All other settings remain the same. The video may provide you with additional assistance here.

After you have set up “wp-admin” with the subdomain “www”, repeat the process for the other applications: “wp-login“, “xmlrpc.php” and “admin-ajax.php“. All four WordPress applications should then be displayed in the overview.

The function test

The connection is also tested in the video. You can see that everything works as expected.

The Cloudflare tunnel

I won’t go into detail about setting up the tunnel in this article, as you don’t normally need it – unless you haven’t set up a tunnel yet. However, you can find detailed instructions on tunnel configuration in this article:

NAT? Deine WEB-Seite Hosten

Comparison video with the “Home Assistant” example

The previous video or article refers to the same topic, but is focused on the “Home Assistant” application and uses a tunnel. You can also find valuable information there.

Secure Cloudflare WEB applications

Link to support / donation for the channel
PayPal Link
Bank transfer, Bitcoin and Lightning

#Cloudflare #WEBsecurity #WordPress #InternetSecurity #AccessProtection #Internet #Hosting #HostingSecurity

Tags: , , , , , , ,

Leave a Reply