How to Harden & Protect WordPress wp-admin Using Cloudflare

Hi everyone, it has been a bit but I wanted to reach out on how we can leverage our existing CloudFlare accounts to protect and harden WordPress wp-admin for malicious activities.

As we all know the administration panel /wp-admin on any WordPress site is accessible by simply visiting domain.com/wp-admin. However there are somethings that we can do harden and protect this area from unwanted logins to this area using CloudFlare.

As we all know Cloudflare is a fantastic service that will block known bad bots, and requests that have malicious intention from easily visiting your site. This is done by years of Cloudflare analyzing traffic and logging suspicious actives through millions of websites. This community of websites and data is then harvested and heuristically built out their security infrastructure to better analyze the difference between a good webpage request and bad request. Now then, imagine using this service and from the network level and application level of the OSI Model protect your site from these malicious visits.

Prerequisites:

There are a few prerequisites in getting started here, but if you found this entry I am confident that you will meet them.

• You will need a WordPress Website.
• You will need to register and add your domain at Cloudflare.
• You will need access to your (existing) domain name providers DNS panel.
• You will need to change name servers with your (existing) domain name provider to Cloudflare

Cloudflare Page Rules:

I will certainly in a later walkthrough show you how to do all of the following (prerequisite requirements), but we need to get to the point since you have certainly already met these by visiting this post.

Moving forward you will not need access to wp-admin, however you will need access to your DNS pointed Cloudflare Account and settings. In getting started you will begin by simply logging into Cloudflare, and choosing the your WordPress domain that is added, then proceed with the following:

1. Click on Page Rules inside of Cloudflare for your WordPress domain.

2. As mentioned by CloudFlare Page Rules let you control which Cloudflare settings trigger on a given URL. Only one Page Rule will trigger per URL, so it is helpful if you sort Page Rules in priority order, and make your URL patterns as specific as possible. Click on Create Page Rule.

3. Next you will add the following settings add your domain.com/wp-admin* as you can see in my screenshot below. Browser integrity check will ensure that a actual browser is being used to access wp-admin. This will protect against brute force attacks on the login page. Next we will want to ensure that cache is bypassed. I am on WP Engine, and WP Engine by default does not cache wp-admin. We will certainly want the security level set to high when accessing this login area, and we want to disable any performance tools that we may have enabled in CloudFlare from being used in wp-admin.

4. Click Save and Deploy.

Conclusion:

With just a few steps and leveraging CloudFlares Page rules we can harden the security of wp-admin with out needing to use any plugins or hiding the /wp-adminurl. If this entry helped you leave a comment below and let me know if you tweaked any of your settings. How are you securing your /wp-admin login in WordPress?