This is something I found out about recently from a good friend of mine (Tristan from https://deft-dev.com.au/), that I then found a lot of people didn’t know about. So I thought it would be worthwhile creating a quick post on how to do this and why.
The Cloudflare WAF rule provides WordPress with a high level of protection against brute force, and any bot style automated attacks.
To show how powerful this is, someone recently came to me as their WordPress site had been compromised due to a weak password. For the first ~72 hours after this had been implemented it was blocking on average 600 login attempts in every 24 hour period. Now that it has running for a while it has dropped substantially to ~20 attempts in every 24 hour period. This shows how much of a deterrent this simple rule can be.
The steps to set this up are as follows:
1. In Cloudflare one you have logged in and selected the required domain, select the “Security” tab, then select “WAF”
2. Select “Create Rule”
3. Enter a descriptive name such as “wp-admin”
4. In the field section select “URI path”, and then “equals” as the operator, and enter “/wp-admin” without quotations for the value.
5. Select “Or” to add a secondary query.
6. For the second query we set the field to “URI path”, “contains” as the operator, and enter “wp-login.php” without quotations for the value.
7. The expression preview for the rule should look as follows:(http.request.uri.path eq "/wp-admin") or (http.request.uri.path contains "wp-login.php")
8. For the “Then…” section, we select “Interactive Challenge” for the action. There are a few different options that are viable, however I find the interactive challenge action to provide the most reliable protection.
9. You can now hit save, your WAF rule is now complete and active.
Hopefully this helps you add an extra layer of protection to your WordPress site.
No responses yet