Yesterday when I was checking up on the Cloudflare cache performance for my site WP-Tweaks.com, I saw this:
After filtering traffic that made it past my cache to hit the origin server directly, I saw a huge spike of requests in an incredibly short time. What’s more, they were either redirected or gave a 404. Which meant that my server had to work for each of these requests instead of sending a static file. Needless to say, I don’t want this happening. Ideally, I want bad requests to be rejected directly at my firewall and not make it to my site. Or if a request does hit my site, I want the response to be cached, and not use the database.
Analyzing further, I saw that the requests were made to wp-login.php. Now I’ve already written about my solution for masking wp-login.php using the iThemes plugin so that hackers can’t waste your resources by brute-forcing the page. But as you can see, nothing stops them from just pinging a useless URL anyway. In my logs, I saw that the most common action that bots were trying to do, was register a new user.
So I decided to implement a new Cloudflare firewall rule to block out all direct wp-login.php requests.
My Existing Setup Uses a “Keyword” in the URL
If you read my linked article above, I’ve set up my site to change the login URL to this:
www.example.com/newlogin
instead of this:
www.example.com/wp-login.php
I accomplish this with no fuss using iThemes, which then redirects to something like:
https://www.wp-tweaks.com/wp-login.php?itsec-hb-token=newlogin
So what I want in my Cloudflare rule is the following:
Block all requests to wp-login.php that don’t contain “newlogin” in my query string. Turns out this is easy to accomplish with a simple Cloudflare rule.
Cloudflare Firewall Rule to Block wp-login.php
In your Cloudflare dashboard, go to the “Firewall” section and click “Firewall Rules”. Now click “Create a Firewall Rule” and enter the details as shown here:
What we’re doing here, is creating two conditions for a request to be blocked:
- The request URL must have wp-login.php
- The query parameters must NOT contain our “magic” keyword
If these two conditions are met, it’s blocked outright as shown above. Save your changes and you’re done!
Impact of the New Cloudflare Rule
I implemented these changes yesterday and this morning, here’s the report I get about what was blocked:
As you can see, the rule was used to block a good number of requests that would otherwise have gone through to my server. It’s possible that without this rule, there would have been a lot more since bots can just “give up” if they encounter a hard block like this, so there’s no point in trying anymore.
So I’d call this a success!
Using a VPN to Restrict Access to wp-login.php and wp-admin
A tempting solution is to set up a VPN to access the admin areas of your site. That way, only you or others who are authorized can reach these sensitive sections of your site. My only objection to that is that it requires quite a bit more work to set up a VPN with a static IP, and make that VPN available to all your devices, and the devices of those you trust.
And if you’re stuck somewhere one day without access to your VPN, there’s nothing you can do. My solution here is not only free, but I feel it’s more robust. There are fewer things that can go wrong such as the VPN failing, or the certificate expiring, or something like that. Plus it’s far easier to set up!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
JS says
How do you modify this tutorial with the new URL Normalization that Cloudflare introduced this around 8 April 2021?
Bhagwad Park says
Based on what I’ve seen so far, there’s no need to change anything. Let me know if you find out something I don’t!