Use CloudFlare Page Rules to Protect WordPress from Brute Force Attacks

I have talked about CloudFlare before page rules to protect your WordPress powered website!

One of the great things CloudFlare has introduced is page rules. You can define a page rule to have different rules from the rest of your website. To help protect your WordPress website from a brute force attack, where usually an automated bot, hits your wp-login.php page again and again and again trying to get entry you can simply create a page rule in CloudFlare to protect the page. This can slow and often stop the brute force attack because the bots will either be stopped dead by the CloudFlare check or slow them down so much that it will take them much longer to actually try to login.

Free accounts with CloudFlare only get three page rules, and you will need two of them to protect your wp-login file. You might be able to get this down to one if you do some .htaccess redirects but to keep it simple lets stick with the two CloudFlare page rules. The two page rule URL patterns I have been using for the WordPress login page are:

example.com/wp-login.* *.example.com/wp-login.*

You have to enter each one separately but it is much easier than trying to do this through .htaccess. The important part after you have added a page rule URL match is in your rules make sure you turn the Security and Browser Integrity to ON and set the Security Level to Help, I’m Under Attack.

This will cause CloudFlare to closely inspect every visit to your wp-login.php page. This will also slow you down when you go to login to your website unless you whitelist your IP address with CloudFlare. Then you will bypass this and be sent straight to the login.

This will not totally protect your WordPress website but it will provide an extra layer of protection from brute force attacks. It is still important to use strong passwords, keep your WordPress install up to date and you can try some plugins that limit the number of login attempts.