Protecting your wp-login.php page in your WordPress directory poses a challenge for many webmasters. Using .htaccess or a security plugin like Word Fence only add a bit of resistance to hackers, and both methods still bog your server down with brute force attempts.
Today, I am going to explain how to protect your wp-login.php page using CloudFlare, which will divert almost all traffic away from your login page before it even has a chance to load. This guide is extremely easy to put into action, and if you are already serving pages through CloudFlare, takes less than five minutes to setup.
(Alternatively, if you are wondering what CloudFlare is and how it can help you, check out our article titled “What does a CDN do?”)
Secure WordPress Login Page
For the majority of WordPress users, their wp-login page is essentially wide open for hackers to break into. Besides a flimsy account name and password, most bloggers have very little in the way of security to block unwanted visitors out. If you notice that your WordPress login page constantly gets hammered with login attempts, CloudFlare offers the perfect remedy for this situation.
The CloudFlare option you are going to be looking out for is called “Page Rules.”
Make sure that you have your domain name opened from the domains category, and hit the down arrow on the right to find the option called “Page Rules.” Even if you are using a free CloudFlare account, they will still allow you to add up to three different page rules for each website you have connected.
Once you find the “Page Rules” option, click the green button that says “Add Rule” and copy the settings and URLs exactly the way I have demonstrated on the picture to the left.
Create two separate rules, one for wp-admin and one for wp-login. The URL for each is going to have to match exactly the way I have it listed:
This is basically telling CloudFlare that if your page “wp-admin.php” or “wp-login.php” get loaded by someone, apply the page rule located below. By using an astrix at the beginning and end of our URL, we are telling CloudFlare that we want the rules applied regardless of what page the hacker pulls up. (www, http, http://www, or a plain website query all are subject to the rules we enter.)