Securing a WordPress website is essential, especially against DDoS attacks and unauthorized login attempts targeting wp-admin and wp-login.php. Cloudflare’s “I’m Under Attack” Mode helps mitigate these threats by filtering suspicious traffic and allowing only legitimate visitors to access the site.
Additionally, you can enhance security by blocking access from high-risk countries known for cyberattacks, such as China, Russia, Iran, and North Korea. Below are the steps to enable these protections.
1. Enable “I’m Under Attack” Mode for the Entire Website
If your website is under a large-scale attack, you can activate this mode for all visitors:
- Log in to your Cloudflare account via the dashboard.
- Select the domain you want to protect.
- Navigate to Security > Settings.
- Under Security Level, choose I’m Under Attack!.
This setting will prompt all visitors to pass a browser verification challenge, filtering out malicious bots and DDoS threats.
2. Enable “I’m Under Attack” Only for wp-admin and wp-login.php
To protect only the WordPress admin area while keeping the rest of the site accessible:
- In Cloudflare, go to Security > Settings.
- Look for Configuration Rules and click Create Rule.
- Set the following condition:
- Field: URI Path
- Operator: Starts with
- Value:
/wp-admin
- To also protect the login page, use the following advanced expression:
(starts_with(http.request.uri.path, "/wp-admin")) or (starts_with(http.request.uri.path, "/wp-login")) - Under Action, select Add I’m Under Attack and enable it.
This ensures that only legitimate users can access the admin area.
3. Block Access from High-Risk Countries
To prevent access from countries with a high number of cyberattacks (e.g., China, Russia, Iran, North Korea), configure country-based blocking:
- Log in to Cloudflare and go to Security > Settings.
- Navigate to IP Access Rules.
- Create a new rule with the following parameters:
- Field: Country
- Operator: Equals
- Values: China, Russia, Iran, North Korea (add any other high-risk countries).
- Action: Select Block.
This will completely block connections from these countries, reducing brute force and bot-driven attacks.
4. Restrict Access to Specific IP Addresses
If you manage your website from a fixed IP location, you can restrict access to only trusted IPs:
- Go to Cloudflare > IP Access Rules.
- Add a new rule:
- Field: IP Address
- Operator: Is not equal to
- Value: (your trusted IP or range).
- Action: Block.
This will allow only authorized IP addresses to access wp-admin while blocking everyone else.
5. Preview “I’m Under Attack” Mode
To see how your website will behave with this protection:
- Log in to Cloudflare.
- Go to Manage Account > Configurations.
- Under Custom Pages, select Managed Challenge / I’m Under Attack Mode™ and click View Default.
Visitors will see a “Checking your browser before accessing…” message for a few seconds before being granted access.
Conclusion
By applying these Cloudflare settings, you significantly enhance WordPress security, reducing the risk of DDoS attacks, brute force attempts, and unauthorized logins. For additional protection, consider:
✅ Enabling two-factor authentication (2FA) for WordPress.
✅ Changing the default login URL using plugins like WPS Hide Login.
✅ Using security plugins like Wordfence or iThemes Security.
✅ Disabling XML-RPC if not needed, as it’s a common attack vector.
With these measures in place, you strengthen your website’s defenses, ensuring a secure and seamless experience for legitimate users. 🚀
Source: WordPress directo
