Cloudflare is great. I use it for DNS both privately and for my work. The company offers a lot of free features that truly seem to make the internet a better place.

One of the features offered in a more Freemium model are the firewall/WAF rules. You are allowed to have five firewall rules per site, and for anything more you’ll have to pay.

Recently, I was asked to fortify a Wordpress website as it got a lot of false and invalid login attempts. Using a plugin, the website owner received mails daily notifying them of false attempts to login to Wordpress and they wanted to feel more secure.

So I set up the Cloudflare firewall for this purpose. I mostly relied on this great article showing which firewall rules to use and why, but what I added is that I didn’t create 5 separate firewall rules, as suggested there, but I combined them into one. If they give you a Freemium model, you’ve got to make most of it right.. ;-) :wink:

So by only utilizing one firewall rule in Cloudflare, you can easily protect the admin areas of your Wordpress website.

The steps to get there are:

1. Under Security - WAF - Tools, set your IP address or your country as Allow, therefore circumventing the firewall rules.
2. Under Security - WAF - Firewall Rules, set up the following Firewall rule. Use the Edit expression button to paste this expression in.

(http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "YOURSITE.COM" and not cf.client.bot) or (http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "YOURSITE.COM")

and of course don’t forget to replace YOURSITE.COM by your own domain name!