WordPress powers over 40% of all websites on the internet, which makes it a prime target for cybercriminals.
The WordPress login page, in particular, is frequently the target of brute-force attacks and unauthorized access attempts.
Protecting your WordPress site is vital – and mandatory by law for website owners or administrators. Traditional security measures such as strong passwords and two-factor authentication are useful, but may not be enough.
In this post, we’ll introduce you to a powerful method for securing your WordPress login pages using Cloudflare Zero Trust. This approach adds an extra layer of security by implementing a zero-trust architecture that effectively shields your admin area from unauthorized access attempts.
Following our step-by-step guide, you’ll learn how to set up Cloudflare Zero Trust for your WordPress site and create and manage access policies to control who can access your admin area.
But before we dive in, let’s first understand why you should use Cloudflare Zero Trust.
Why You Should Use Cloudflare Zero Trust
Cloudflare Zero Trust offers a comprehensive solution that goes beyond traditional security measures. It provides unparalleled flexibility in defining who can access your protected applications. With its sophisticated rule system, you can create highly specific access policies:
- Granular Control: Use “Include”, “Require”, and “Exclude” rules to fine-tune access permissions.
- Multi-factor Policies: Combine various selectors to create complex, multi-layered security protocols.
- Diverse Authentication Options: You have many authentication methods, from email-based rules to service tokens and client certificates.
- Access Service Token: Allows access based on valid service tokens.
- Common Name: Uses the common name in a client certificate for access control.
- Country: Allows or restricts access based on the user’s geographic location.
- Google OIDC Claims: Uses claims from Google’s OpenID Connect for access decisions.
- IP Ranges: Controls access based on the user’s IP address.
You can create a robust security perimeter around your WordPress site and other applications using these features. This will protect against common threats such as brute force attacks and unauthorized access attempts and provide a framework for implementing sophisticated, context-aware security policies.
How To Protect WordPress Login Pages with Cloudflare Zero Trust
In a previous guide, we discussed using Fail2ban with WordPress and Cloudflare proxy to block attackers after several failed attempts. However, this method allows you to block everyone and only grant access to people who authenticate successfully.
Follow the steps below to protect your WordPress login pages with Cloudflare Zero Trust:
Prerequisites:
Before we start, you must ensure that your WordPress website is up and running on the Internet and that your website domain uses Cloudflare DNS with the proxy enabled.
If you are using RunCloud, you can use the RunCloud DNS manager to view and edit your Proxy status:
Step 1: Sign up for Cloudflare Zero Trust
- Go to the Cloudflare website and sign up for a Zero Trust account (the free tier allows up to 50 users).
- Follow the initial setup guidance provided by Cloudflare.
Step 2: Add an Access Application
- Navigate to the “Applications” section and click “Add an application” to start the process.
- On the next screen, choose “Self-hosted” as the application type.
Step 3: Configure the Application
Enter a name for your application in Cloudflare (e.g., “WordPress site 123”). Next, select your WordPress site’s domain from the dropdown menu. If you are hosting your website on a subdomain, mention your subdomain in the provided field.
For example, if you are hosting your website on www.example.com, enter www in the provided box and select example.com from the drop-down menu.
After that, you must specify the path you want to protect from the attackers. By default, the WordPress login page is accessible at /wp-admin.php
. To restrict access to this page, enter wp-admin.php*
in the path field.
Note: if you leave the path empty, Cloudflare will restrict access to your entire WordPress site.
Step 4: Set Up Identity Provider
Scroll down to the Identity Provider section and choose your preferred identity provider (IDP) from the available identity providers on Cloudflare. You can use Cloudflare’s email-based login option if you don’t have an existing IDP.
Select “One-Time PIN” from the available options, and click “Next” at the bottom of the page.
Step 5: Create an Access Policy
In the “Policies” section, provide a name for your policy (e.g., “WordPress Admin Access”).
After adding the name, you can configure the policy to determine who can access the protected area. In the given example, the “Include” rule specifies which users can access the application based on their email addresses.
For the “Email” selector, you can list individual email addresses (e.g., [email protected]
, [email protected]
) or use the “Emails ending in” selector to create domain-based rules (e.g., @example.com
, @domain.com
) to grant access to all users from specific domains.
After adding the necessary rules, you can save the policy by scrolling to the bottom and clicking “Next”. Alternatively, you can leave everything to its default settings on the Setup page and click “Add Application”.
Step 6: Test the Configuration
After creating the configuration, open a new browser or incognito window and navigate to your WordPress admin page (e.g., https://example.com/wp-admin
).
Verify that Cloudflare intercepts the request and prompts for authentication. Now, you can log in using your configured identity provider and confirm that you can access the WordPress admin area after successful authentication.
Wrapping Up
By following the steps outlined in this guide, you’ll have successfully protected your WordPress login pages with Cloudflare Zero Trust. This will add a robust layer of protection to your website’s administration area and safeguard it against unauthorized access attempts and potential security breaches.
While Cloudflare Zero Trust provides excellent security, managing your web infrastructure can still be complex.
This is where RunCloud comes into play!
Why Choose RunCloud for Your WordPress Hosting Needs?
RunCloud provides the easiest way to manage DNS and deploy websites and works well with your newly implemented Cloudflare Zero Trust security:
- Cloudflare Integration: RunCloud seamlessly integrates with Cloudflare and allows you to manage your DNS and security settings from a single interface.
- One-Click WordPress Installations: Say goodbye to complex setup procedures. RunCloud offers one-click WordPress installations, quickly getting your secure site up and running.
- Simplified Server Management: Manage multiple servers and websites from a user-friendly dashboard, reducing the complexity of web hosting.
- Automated Updates and Backups: Keep your WordPress installations secure and up-to-date with automated updates and regular backups.
- Performance Optimization: RunCloud is optimized for speed, ensuring your WordPress site runs smoothly and efficiently.
Start using RunCloud today!