How can we help?
Searching...
  1. Home
  2. Knowledge Base
  3. Domains and DNS
  4. Cloudflare
  5. How to Protect Your WordPress Website with Cloudflare

How to Protect Your WordPress Website with Cloudflare

Content

Overview

Cloudflare is a robust security and performance tool that helps protect your WordPress website from attacks, reduces downtime, and improves speed. This guide will walk you through integrating Cloudflare with your WordPress site.

 

Step 1: Sign Up or Sign In to Cloudflare

  • If you don’t have a Cloudflare account, you can sign up for one free on the company's website.
  • If you already have an account, simply sign in.
  • Click “Add a Site” and enter your domain name.
  • Cloudflare will scan your existing DNS records.

Need Cloudflare Pro?
You can order Cloudflare Pro directly from us for advanced protection and optimization.
If you’ve already purchased Cloudflare services from us, log in to your client area to manage your settings.

    Step 2: Update Your Nameservers
    1. Cloudflare will provide new nameservers.
    2. Log into your domain registrar (GoDaddy, Namecheap, etc.).
    3. Update your DNS nameservers to Cloudflare’s.
    4. Wait for the changes to propagate (it may take a few hours).

    Step 3: Configure Security Settings

    • Enable Web Application Firewall (WAF) (available on Pro+ plans).
    • Turn on DDoS Protection (enabled by default).
    • Set up Rate Limiting to block excessive login attempts.

    Step 4: Secure Your WordPress Admin Login (wp-admin & wp-login.php)

    Protecting your WordPress admin panel is crucial to prevent brute-force attacks and unauthorized access. Follow these steps to secure it using Cloudflare:

    Block Unwanted Access to wp-login.php

    Option 1: Restrict Access by IP Address

    If you have a static IP address, allow only your IP to access the login page:

    1. Go to Cloudflare DashboardSecurityWAF (Firewall Rules).
    2. Click Create a Firewall Rule.
    3. Name the rule “Restrict WP Login.”
    4. Set the following conditions:
      • Field: URI Path contains /wp-login.php
      • Field: IP Address is not [Your IP Address]
    5. Select “Block” as the action.
    6. Save and Deploy.

    🔹 This will block all login attempts except from your IP.

    Option 2: Challenge Suspicious Traffic with JS Challenge or CAPTCHA

    If you don’t have a static IP or multiple users need access:

    1. Go to Cloudflare DashboardSecurityWAF (Firewall Rules).
    2. Create a rule with:
      • URI Path contains /wp-login.php
      • Action: JS Challenge or Managed Challenge (CAPTCHA).
    3. Save and Deploy.

    🔹 This adds an extra verification step to prevent bots from reaching the login page.

    Enable Rate Limiting to Prevent Brute-Force Attacks

    1. Go to SecurityWAFRate Limiting Rules.
    2. Click Create a Rule.
    3. Set the following:
      • If URI Path contains /wp-login.php
      • Requests exceed 10 per minute
      • Action: Block for 15 minutes.
    4. Save and Deploy.

    🔹 This prevents repeated login attempts by hackers and bots.

    Disable XML-RPC to Block Automated Attacks

    The xmlrpc.php file is often targeted by bots to brute-force WordPress logins.

    1. Go to Firewall RulesCreate Rule.
    2. Set:
      • URI Path contains xmlrpc.php
      • Action: Block.
    3. Save and Deploy.

    🔹 This stops unnecessary login attempts via XML-RPC, reducing server load.

    For ultimate protection, use Cloudflare Access to lock down your admin page.

    1. Go to Zero Trust DashboardAccess.
    2. Create a rule:
      • URL Path contains /wp-admin
      • Require authentication via: Google, Microsoft, or OTP.
    3. Save and Deploy.

    🔹 Only verified users will be allowed to access your admin panel.

    Step 5: Optimize Performance

    • Enable Automatic Platform Optimization (APO) for full-page caching.
    • Turn on Rocket Loader for faster JavaScript loading.
    • Enable Auto Minify to reduce file sizes.

    Step 6: Install Cloudflare WordPress Plugin

    1. Install the Cloudflare plugin from the WordPress plugin directory.
    2. Connect it to your Cloudflare account.
    3. Apply recommended settings.

    ✅ Best Practices

    Use Full (Strict) SSL for maximum security.
    Block XML-RPC to prevent brute-force attacks.
    Create Page Rules to exclude admin pages from caching.
    Monitor Traffic Analytics in Cloudflare for threats.
    Block unauthorized IPs from accessing wp-login.php.
    Use CAPTCHA or JS Challenge to prevent bot attacks.
    Limit login attempts with Rate Limiting.
    Disable XML-RPC to block automated brute-force attempts.
    Use Cloudflare Access for maximum protection.

    Share this:
    FacebookTwitterWhatsAppViberCopy LinkTelegramLinkedIn
    Updated on February 8, 2025
    Was this article helpful?
    Yes No

    Related Articles

    Need Support?
    Can't find the answer you're looking for?
    Contact Support