Bots and hackers are constantly trying to guess your login name and password. If they are able to figure it out they will wreak havoc on your site and you stand to lose everything. While it is certainly a smart idea to use a WordPress security plugin, the best way to protect yourself is to stop these attacks from happening in the first place.
Using Cloudflare Page Rules
One of the best, and did we mention free, ways to do this is to setup Cloudflare page rules. Even as a free Cloudflare user you get three free page rules. With the right settings you can use these page rules to protect your website from bots and distributed denial of service (DDoS) attacks.
If you don’t already have an account, head on over to Cloudflare and then return to this page after setting up your free account.
How It Works
There are two common ways to login to WordPress: wp-login.php
and xmlrpc.php
. In order to cover all of the bases we are going to create rules for both.
What we are doing, in a nut shell, is telling Cloudflare to perform an in depth browser check to determine if the visitor is a bot or an actual person. If Cloudflare determines the visitor is not a legitimate person, it blocks access to the php
file. If they can’t access the file, they can’t trying logging into your account!
Creating the Page Rules
First make sure you’re logged in to your Cloudflare account.
Once you’re logged in click on Page Rules.
You should see a page similar to this:
Now let’s get started.
Securing the WordPress Login Page
First up is the login page itself. When you think about logging into WordPress this most likely what you think of.
Click Create Page Rule.
Set If the URL Matches to *yourdomain.com/wp-login.php*
, replacing yourdomain.com
with whatever your actual domain name is.
Click + Add a Setting and choose Browser Integrity Check from the dropdown menu. Toggle it to On.
Click + Add a Setting and choose Security Level from the dropdown menu. Choose I’m Under Attack from the next dropdown menu.
Click Save and Deploy
Securing XML-RPC
Remote posting services, like the WordPress smartphone app, use XML-RPC to access your account. As of late, bots have been attacking xmlrpc.php
just as much as, if not more than, wp-login.php
. So let’s put a stop to that too.
Click Create Page Rule again to add our second page rule.
Set If the URL Matches to *yourdomain.com/xmlrpc.php*
, replacing yourdomain.com
with whatever your actual domain name is.
Click + Add a Setting and choose Browser Integrity Check from the dropdown menu. Toggle it to On.
Click + Add a Setting and choose Security Level from the dropdown menu. Choose I’m Under Attack from the next dropdown menu.
Click Save and Deploy
That’s It!
Once you have these page rules set, you will see far less notifications from your security plugin warning you about failed login attempts and brute force attacks. Ever since we’ve implemented this solution we have not experienced any brute force attacks at all. This really does work.
Your Page Rules page should now look similar to this. If it does, you’re all done!
When you try accessing your login page, after setting up the page rules, you’ll routinely see a page like the one below. After about 5 seconds you’ll be able to login like normal. This is simply Cloudflare running the browser checks we talked about earlier. NOTE: Since the page rules we created are specific to the wp-login.php
and xmlrpc.php
pages/files, your visitors will not experience this delay when accessing the body of your website.
BONUS: Improved Performance
Even if you use a WordPress security plugin like Wordfence of All-in-One WP Security, your server is still doing the legwork processing requests and checking blacklisted IP addresses. By letting Cloudflare do the lifting for you, you’ll effectively increase your site’s performance by reducing your own server’s workload.