
Cloudflare Firewall Rules to Protect WordPress - levidurfee
https://levi.lol/cloudflare-firewall-rules-to-protect-wordpress/
======
chrismeller
While a great idea in principle, this is... incomplete.

You can also do exactly the same thing with any web server. And you should.
Just because you use Cloudflare doesn’t mean your server is not directly
accessible on the internet. Sure, its IP is masked, but that doesn’t mean it’s
suddenly invisible.

In reality this is just a much more advanced version of security through
obscurity.

~~~
levidurfee
Thank you for your feedback! You're right, you can do this with any web
server, but that is difficult for some people to implement. I'm not saying
people shouldn't learn, and do difficult things to protect their websites, but
starting with the Cloudflare Firewall is a step in the right direction.

What are the odds you can guess the IP address of my server? They're pretty
slim I think. Also, if I use Cloudflare's Authenticated Origin Pulls, my web
server won't respond to your request if you managed to find my IP.

Also, I'm not saying you shouldn't take other security measures, like having a
secure password, use mod_security, etc. The intent of using these firewall
rules are to prevent login attempts, or at least reduce the number of login
attempts to your WP site.

Moreover, if I were to use Cloudflare Argo Tunnel, then it would mean my
server is not directly accessible on the internet.

[https://support.cloudflare.com/hc/en-
us/articles/204899617-A...](https://support.cloudflare.com/hc/en-
us/articles/204899617-Authenticated-Origin-Pulls)
[https://www.cloudflare.com/products/argo-
tunnel/](https://www.cloudflare.com/products/argo-tunnel/)

------
tluyben2
Note the comment about admin-ajax below the article; it's a real problem. One
of the many bad design decisions in WP.

~~~
levidurfee
Adding another rule would handle the admin-ajax situation.

------
huxflux
So much needed, bye bye Wordfence and all so-called "security plugins".

