I see a lot of attempts to brute force the login page of my self-hosted WordPress. While I have a strong password, I was looking for ways to limit the admin console’s exposure to the internet and minimize the risk of brute force attacks.
I am also using Cloudflare to provide filtering to my site and caching content to increase website speed, and we can use Cloudflare’s Zero Trust feature to secure the WordPress admin console. For a small number of users on a personal blog, this is a free service.
How does it work?
Cloudflare will act as a proxy between your browser and the WordPress admin page. It will intercept requests to the WP-Admin page and require you to enter a PIN or be logged into your identity provider (Google, Facebook, Azure AD, Okta, SAML etc are all supported here). When you’ve logged into the identity provider and meet the criteria you’ve defined in your Cloudflare policy, you’ll be able to continue to the WordPress login page to login as normal.
Do I need to install a WordPress plugin?
No. A WordPress plugin is not required.
Steps to enabling MFA on WordPress Admin using Cloudflare
To get MFA on the WP Admin page using Cloudflare, follow these quick steps;
- Login to Cloudfare console, selecting Access
- Select Launch Zero Trust (You may be required to sign up to additional terms – the service is free for a limited number of user).
- Select Applications and then select Add an application
- Select Self Hosted
- Enter an Application Name (e.g. Blog Login)
- Enter the domain and path (you will need to add /wp-admin and /wp-login.php)
- Add the Login Policy by creating a Policy Name, and an additional rule that includes the Selector Emails. Enter your email. and click next.
- On the final page, keep the defaults and select “Add application”.
Note: The above steps assume you are using Cloudflare and your DNS settings point to their servers. If not, sign up for a free account.
- Select Add an application and the select Self-Hosted
2. Enter the subdomain, domain and path you wish to protect.
3, Assign a login policy that has the Selector set as your email address or create an Access Group with the emails of who is authorized to access the resource.
Note: You can also create a Group by selecting Access Groups on the navigation bar. I created a Group called WP Admins which you can see in the above screenshot.
4. Test the configuration by visiting you admin page in a private browsing session.
Something similar to above should show up. Note in the screenshot above, I’m using Google as the identity provider.
Leveraging Cloudflare’s Zero Trust feature can help reduce the number of brute force attacks on WordPress admin pages.
By setting up Multi-Factor Authentication (MFA) through Cloudflare, you not only add an extra layer of security but don’t introduce any new risk by installing unvetted plugins.