Block bots from reaching WordPress login using Cloudflare

If you have bots brute-forcing your WordPress login page, you can use Cloudflare to stop these bots from reaching the page at all.

A plugin can be used to help block bots, but this plugin will be using lots of server resources to block these attacks. Even if the attacks are successfully blocked, this can take your site offline by bogging down your server. It will be so busy blocking attacks that it can't serve legitimate visitors the pages they want to see.

Using Cloudflare moves the blocking to Cloudflare's CDN servers. The brute force attacks will be stopped at Cloudflare and never reach your site. This leaves your site free to serve pages to legitimate visitors. Cloudflare allows you set up to five separate sets of firewall rules. Each set can have several filters chained together to create complex filtering and blocking rules. Here we will concentrate on setting up one simple rule.

Setting up the rule

Once you've logged into Cloudflare and chosen the domain, go to Firewall >> Firewall Rules from the menu on the left side. Then click the "Create a Firewall rule" button. Name your rule: wp-login.php (or your choice) When incoming requests match Field: URI Path Operator: equals Value: /wp-login.php Then: Challenge (captcha) Click deploy and test.

Screen Recording of the Process

Setting firewall rules in CloudFlare