CloudFlare provides a free service for CDN, security and speed. Many people think CloudFlare only offers security to Business and Enterprise customers. Granted they get more security like the Web Application Firewall but free users get some basic protection from DDoS and bots. CloudFlare allows 3 custom page rules for free accounts which we can use to prevent bots and hackers from accessing our WordPress login (wp-login.php) pages attempting brute force attacks.
I learned about this brute force protection technique on /r/WordPress and shared it (and seen it shared by others) on the Advanced WordPress facebook group. With this technique you will increase performance because your host or server will not be bogged down processing wp-login requests. Even with a security plugin like Wordfence or All in One WP Security and Firewall, WordPress will still have to do processing to check the hacker or bot’s IP address in the database’s blacklist which consumes resources.
Block wp-login Brute Force Attacks with CloudFlare Page Rule
We are going to make a CloudFlare Page Rule that will do intensive browser inspection for the wp-login.php file which will weed out bots and hackers.
Log in to your CloudFlare account.
Click Page Rules
Then under Page Rules click Create Page Rule
If you use subdomains (e.g. guides.wp-bullet.com or www.wp-bullet.com) then set If the URL matches to http://*.wp-bullet.com/wp-login.php*
Note: The trailing * captures query strings after the wp-login.php URL.
Click + Add a Setting and choose Browser Integrity Check, toggle it to On
Click + Add a Setting and choose Security Level, then choose I’m Under Attack
Click Save and Deploy
If you do not use subdomains (e.g. wp-bullet.com) then set If the URL matches to http://*wp-bullet.com/wp-login.php*
Note: The trailing * captures query strings after the wp-login.php URL.
Click + Add a Setting and choose Browser Integrity Check, toggle it to On
Click + Add a Setting and choose Security Level, then choose I’m Under Attack
Click Save and Deploy
You can also consider making a page rule for xmlrpc.php which is a common attack vector for hackers and bots.
You should make sure each Page Rule is set to On
You will see notifications from your security plugin far less often now 🙂
Sources
Advanced WordPress Group
WordPress subreddit
Ronangelo’s post
Thanks! It works!
I usually see invalid login attempt pops from my security log every 3-15 minutes, now since applying this Page Rules it’s been gone for … ever lol… 30 minutes exactly.
Hostgator could be part of the issue David 😉
Thanks Mike, it may be but they are silly domains, I got it working on the one I wanted to and when I have a ton of time to go through HostGator support and deal with it lol.