Cloudflare page rules deserve to be much more widely known and used as a highly effective component of a layered brute force login defense. The Cloudflare free tier gives me three page rules, which is enough – just barely – for both login security and blazing site speed. Login security takes up two of the three rules, but does double duty by also bypassing the Cloudflare cache for the admin area. My Cloudflare page rules for login security block bad bots at the Cloudflare level, so they never even get to my site’s server, login screen, or admin area. A storm of brute force login bots – even if unsuccessful at logging in – could slow my site or bring down my site by tying up resources. These rules move all that resource burden off my site and onto Cloudflare.
The login and admin security rules are the first two in the following image. They can be in either order but must be before the third rule, the one for blazing site speed. Kinda obvious but worth stating – substitute your site name for ‘bygosh.com’.
*bygosh.com/wp-login*
Browser Integrity Check: On, Security Level: I’m Under Attack, Cache Level: Bypass*bygosh.com/wp-admin*
Browser Integrity Check: On, Security Level: I’m Under Attack, Cache Level: Bypass
You might spot a seemingly clever way to combine the two page rules using the string ‘*bygosh.com/wp‑*’. Not recommended. It would block caching and apply escalated security to everything in the wp-content and wp-includes folders, causing no end of unintended consequences. Similarly, ‘*bygosh.com/wp‑*in*’ or some other too-clever string is also not recommended. Just gotta live with using up two precious page rules in return for substantial login security.
The other slight downside to this approach …
There can be a slight delay when I log into my admin dashboard, as Cloudflare checks to verify I am a well-behaved human as opposed to a bot or malicious hacker.
.
If the check finds anything suspicious, I have on rare occasions been challenged with a visual captcha. To me, this is a small price to pay for keeping bad login bots at bay.
