Cloudflare Firewall Rules to Protect WordPress

Cloudflare Firewall rules a protecting my site from a brute force attack from a botnet. Below I’ll show you how to use Firewall Rules to keep your WordPress site safe. With the Cloudflare free plan, it includes five free Cloudflare Firewall Rules.

Cloudflare Firewall Rules

Cloudflare Firewall

Cloudflare is using wirefilter, which is a Wireshark-like expression language that they have created. We will need to create two rules to properly protect our WP Dashboard. This will leave you with three rules for your site.

Firewall Rule #1

We need to allow our IP addresses to access the WP Dashboard. For example, my home network primarily uses IPv6, so I had to allow my subnet access. The first part of this rule checks to see if my IP address is in the subnet specified. Furthermore, the curly brackets used are critical when using CIDR notation. Wireshark handles CIDR notation differently. The second part specifies the URI path I want to protect.

No other rules will be processed after the conditions for a rule return true. You can use parenthesis to group boolean logic.

The action associated with this rule should be “Allow.”

Firewall Rule #2

If rule #1 isn’t evaluated as true, then Cloudflare will compare the request to the next rule. In this rule, we set the action to “Block” all access to our WP Login page, and the WP Admin folder.


By doing this you’ve essentially restricted access to your WordPress dashboard to only the IP addresses you use. If you have a captcha, or other plugin installed to protect your login, you can probably get rid of it after you verify this solution is working.

Please note that this solution will only work if the requests are coming through Cloudflare. Lastly, if someone is hitting your origin server directly, then Cloudflare isn’t able to help. And, if people are bypassing Cloudflare, then I recommend you look into Authenticated Origin Pulls.


If your site utilizes AJAX then these rules may break your site. Since /wp-admin/admin-ajax.php is the file used to handle the AJAX calls. So, if your site does use AJAX, then you will want to create another rule that comes first that allows all requests to that file.

Thank you, Robert, for bringing this to my attention.