This is one of my idea to use Cloudflare Web Application Firewall (WAF) and Cloudflare Turnstile (Captcha) to add some extra security layer to your default wordpress login page by stopping most automated login attempt (or brute force).
- First, we add Cloudflare WAF to block request to
xmlrpc
(which i don’t use).- Rule name : Whatever you like
- When incoming requests match… :
- Field : URI
- Operator : contains
- Value :
xmlrpc
- Expression preview should be like this :
(http.request.uri contains "xmlrpc")
- Then : Block
- Next we add Cloudflare WAF to add extra security to
wp-login
. This will add security before WordPress default login page is being served to the visitors.- Rule name : Whatever you like
- When incoming requests match… :
- Field : URI
- Operator : contains
- Value :
wp-login
- Expression preview should be like this :
(http.request.uri contains "wp-login")
- Then : Managed Challenge / JS Challenge / Legacy Captcha
- Third, you should setup Turnstile in your Cloudflare account.
- Then you can install WordPress Turnstile Plugin. And finish its setup to activate Cloudflare Turnstile to WordPress login form.
That’s all. That will stop most automated login attempts.
Leave a Reply