Block wp-login Brute Force Attacks with CloudFlare Page Rule

CloudFlare provides a free service for CDN, security and speed. Many people think CloudFlare only offers security to Business and Enterprise customers. Granted they get more security like the Web Application Firewall but free users get some basic protection from DDoS and bots. CloudFlare allows 3 custom page rules for free accounts which we can use to prevent bots and hackers from accessing our WordPress login (wp-login.php) pages attempting brute force attacks.

I learned about this brute force protection technique on /r/WordPress and shared it (and seen it shared by others) on the Advanced WordPress facebook group. With this technique you will increase performance because your host or server will not be bogged down processing wp-login requests. Even with a security plugin like Wordfence or All in One WP Security and Firewall, WordPress will still have to do processing to check the hacker or bot's IP address in the database's blacklist which consumes resources.

Block wp-login Brute Force Attacks with CloudFlare Page Rule

We are going to make a CloudFlare Page Rule that will do intensive browser inspection for the wp-login.php file which will weed out bots and hackers.

Log in to your CloudFlare account.

Click Page Rules

Then under Page Rules click Create Page Rule

If you use subdomains (e.g. guides.wp-bullet.com or www.wp-bullet.com) then set If the URL matches to http://*.wp-bullet.com/wp-login.php*

Note: The trailing * captures query strings after the wp-login.php URL.

Click + Add a Setting and choose Browser Integrity Check, toggle it to On

Click + Add a Setting and choose Security Level, then choose I'm Under Attack

Click Save and Deploy

If you do not use subdomains (e.g. wp-bullet.com) then set If the URL matches to http://*wp-bullet.com/wp-login.php*

Note: The trailing * captures query strings after the wp-login.php URL.

Click + Add a Setting and choose Browser Integrity Check, toggle it to On

Click + Add a Setting and choose Security Level, then choose I'm Under Attack

Click Save and Deploy

cloudflare-wp-login-page-rule-brute-force-protection-non-www

You can also consider making  a page rule for xmlrpc.php which is a common attack vector for hackers and bots.

You should make sure each Page Rule is set to On

You will see notifications from your security plugin far less often now 🙂

Sources

Advanced WordPress Group
WordPress subreddit
Ronangelo's post