Bots and hackers are constantly trying to guess your login name and password. If they are able to figure it out they will wreak havoc on your site and you stand to lose everything. While it is certainly a smart idea to use a WordPress security plugin, the best way to protect yourself is to stop these attacks from happening in the first place.

Using Cloudflare Page Rules

One of the best, and did we mention free, ways to do this is to setup Cloudflare page rules. Even as a free Cloudflare user you get three free page rules. With the right settings you can use these page rules to protect your website from bots and distributed denial of service (DDoS) attacks.

If you don’t already have an account, head on over to Cloudflare and then return to this page after setting up your free account.

How It Works

There are two common ways to login to WordPress: wp-login.php and xmlrpc.php. In order to cover all of the bases we are going to create rules for both.

What we are doing, in a nut shell, is telling Cloudflare to perform an in depth browser check to determine if the visitor is a bot or an actual person. If Cloudflare determines the visitor is not a legitimate person, it blocks access to the php file. If they can’t access the file, they can’t trying logging into your account!

Creating the Page Rules

First make sure you’re logged in to your Cloudflare account.

Once you’re logged in click on Page Rules.

You should see a page similar to this:

Cloudflare Under Attack Page Rules

Now let’s get started.

Securing the WordPress Login Page

First up is the login page itself. When you think about logging into WordPress this most likely what you think of.

Click Create Page Rule.

Set If the URL Matches to *yourdomain.com/wp-login.php*, replacing yourdomain.com with whatever your actual domain name is.

Click + Add a Setting and choose Browser Integrity Check from the dropdown menu. Toggle it to On.

Click + Add a Setting and choose Security Level from the dropdown menu. Choose I’m Under Attack from the next dropdown menu.

Click Save and Deploy

Cloudflare Login Page Under Attack Rule

Securing XML-RPC

Remote posting services, like the WordPress smartphone app, use XML-RPC to access your account. As of late, bots have been attacking xmlrpc.php just as much as, if not more than, wp-login.php. So let’s put a stop to that too.

Click Create Page Rule again to add our second page rule.

Set If the URL Matches to *yourdomain.com/xmlrpc.php*, replacing yourdomain.com with whatever your actual domain name is.

Click + Add a Setting and choose Browser Integrity Check from the dropdown menu. Toggle it to On.

Click + Add a Setting and choose Security Level from the dropdown menu. Choose I’m Under Attack from the next dropdown menu.

Click Save and Deploy

Cloudflare XMLRPC Under Attack Page Rule

That’s It!

Once you have these page rules set, you will see far less notifications from your security plugin warning you about failed login attempts and brute force attacks. Ever since we’ve implemented this solution we have not experienced any brute force attacks at all. This really does work.

Your Page Rules page should now look similar to this. If it does, you’re all done!

Cloudflare Under Attack Page Rules On

When you try accessing your login page, after setting up the page rules, you’ll routinely see a page like the one below. After about 5 seconds you’ll be able to login like normal. This is simply Cloudflare running the browser checks we talked about earlier. NOTE: Since the page rules we created are specific to the wp-login.php and xmlrpc.php pages/files, your visitors will not experience this delay when accessing the body of your website.

Login Page Loading

BONUS: Improved Performance

Even if you use a WordPress security plugin like Wordfence of All-in-One WP Security, your server is still doing the legwork processing requests and checking blacklisted IP addresses. By letting Cloudflare do the lifting for you, you’ll effectively increase your site’s performance by reducing your own server’s workload.