How to stop WordPress brute force attacks with Cloudflare Free Page Rules

Recently I made a post on how to block brute force attacks on cPanel servers which had some information about Cloudflare at the bottom. Since Cloudflare Page Rules can work for anyone I felt it needs to have it’s own post.

What is Cloudflare: The Short Answer Cloudflare protects and accelerates any website online. Here is a guide from Cloudflare on how it works.

Personally I have been using Cloudflare for about 4-5 years and they have evolved a lot since then. I have used Cloudflare Free and Cloudflare Pro for my own sites and my clients sites. The version I use depending on the type of security that is needed to protected a site. Sometimes free will work for a basic business page but sometimes Cloudflare Pro is needed to protect the site even more. Cloudflare Pro is a great service because they block everything they do with Cloudflare Free but they have an application firewall which block injection type attacks on your site. (Little technical guide). Bottom line, while Cloudflare Free does a good job blocking bots, spammers, and some basic security Pro gives you a lot more security features.

However, this post is mostly about the Cloudflare Free. You can use Clouldflare page rules to block or scan visitors going to your wp-admin, wp-login.php, and xmlrpc.php, and other parts of your WordPress or any other website. Cloudflare blocks these attacks before they even get to your web host at a network / internet level.

Setting up Cloudflare is easy. Just create an account and type in your domain. Their scanner will pick up the DNS records from your current web host and provide you with new name servers. (Cloudflare Guide) Once you switch the name servers you’re protected behind Cloudflare service. Once everything is setup you can setup Cloudflare page rules and other security features to protect your site.

Setting up Cloudflare Page Rules

Once you have the site added to Cloudflare along with the name servers changed and verified go to Page Rules at the top. Cloudflare allows you to use three page rules for free. If you need more it’s only 5 dollars for 5 more.

These are the three that i’m using to block most attacks on WordPress via Cloudflare.

First rule

Create a rule with the following matches.

(This rule is only for a bot or someone visiting wp-login.php and not the rest of your site)

URL Matches: *yourdomain.com/wp-login.php*

First setting: Browser Integrity Check – On (Documentation)

Second setting: Security level – I’m under attack. (Documentation)

Second rule

(This rule is only for a bot or someone visiting /wp-admin and not the rest of your site – Kind of redundant since wp-admin redirects to wp-login.php but this rule saves on resources if a bot or attacks goes to wp-admin first)

URL Matches: *yourdomain.com/wp-admin*

First setting: Browser Integrity Check – On (Documentation)

Second setting: Security level – I’m under attack. (Documentation)

Third rule

(This rule is only for a bot or someone visiting xmlrpc.php and not the rest of your site)

URL Matches: *yourclientsdomain.com/xmlrpc.php*

First setting: Browser Integrity Check – On (Documentation)

Second setting: Security level – I’m under attack. (Documentation)

If you are using WordPress app (Android, iPhone, Windows, etc) or JetPack. You need to set your security level to high. This will still block most bots and allow WordPress Android, iPhone, and Windows app to work. If not, you can just keep it as I’m under attack.

Optional rule

You could also just forward them to local host or somewhere else. Really depends on if you need xmlrpc.php or not.

Final Steps

That’s pretty much it. Just sit back and relax while Cloudflare protects your sites.

Let me know if you have any questions.

If the information I provided helped you. Feel free to buy me a cup of coffee. Tips are always appreciated.

2 Comments

  1. the xmlrpc forward to localhost s brilliant!

    • Troy Glancy says:

      Originally came up with that when I was doing the rules for the Apache config on cPanel. I was able to block the attacks on xmlrpc.php, but they were then going to the 404 pages which still wasted resources. I decide I was just going to redirect them to somewhere else like google.com but then I don’t want to push the bots to Google. Localhost popped in my head and it was the perfect solution.

Leave a Reply

Your email address will not be published. Required fields are marked *

//]]>