Before we dig into securing the website login, let see some introduction of Cloudflare.

What is Cloudflare?

As we all know, Cloudflare is one of the best CDN(Content delivery network) and DNS(Domain Name System) out there in the market.

Is Cloudflare just a DNS and CDN?

Well No! It’s also an internet reverse proxy service provider. There are many security features that come with Cloudflare.

Why cloudflare?

When the website domain is configured in Cloudflare DNS with “proxy” switched on, it acts as a reverse proxy for the website. All the traffic coming into the website and going out of it will be through the Cloudflare security infrastructure. So we can use it to inspect what type of traffic is coming in and to which URL’s. The malicious content can be filtered out thereby protecting our website. Cloudflare also do provide free SSL for our website and makes it HTTPS. Behind Cloudflare network, it connects to the real web server by different means such as HTTP or HTTPS (strict or flexible)

Need to know more, Have a look at https://www.cloudflare.com/

Benefits of using Cloudflare

• DDoS protection – As cloudflare faces the internet, it takes the initial hit, so the website is protected in case of a DDoS attack
• Firewall (3 rules in the free plan)
• Rule based page caching (3 rules in the free plan)
• Ultra fast DNS
• Has a reCaptcha feature to get rid of robots.
• Client certificate authentication
• Caching and mimify(html, css and js)
• And many more…

Securing the WordPress website login using Cloudflare and Wireguard VPN

Now let’s start the configuration

Changing the WordPress admin page url

Everyone knows, the login page of WordPress is https://domainname.com/wp-login.php, so anyone can try a random combination of credentials or even do a brute-force attack.
As a precaution, we first change the login URL using a WordPress plugin – https://wordpress.org/plugins/wps-hide-login/
The plugin should be installed which will then appear in the admin panel “Settings > WPS Hide Login”. Change the URL to something “not so common” and save the settings.

Now the URL of the WordPress login page is changed and when someone tries https://domainname.com/wp-admin they will be redirected to the 404 page or we can set it to any page as required.
This gives a certain level of protection as the URL is not a well-known phrase.

A self-hosted Wireguard VPN

By self-hosting a VPN(Virtual Private Network) in your cloud VPS, the VPN server will modify the source IP address of the traffic to the VPN server’s IP address. Connecting to the VPN changes our IP address and this IP can be whitelisted in Cloudflare’s firewall. So only we have access to the WordPress login page URL. This step is not needed if you own a static IP from your ISP which is not always the case.

Wireguard is a new and lightweight VPN solution that can be easily deployed using a docker container. There is a wireguard docker container from linuxserver.io which can be easily deployed.

Follow tekcookie.com for upcoming VPN articles.

The VPN can be configured as a split tunnel allowing only the website IP or a tunnel mode VPN tunneling the entire traffic. It’s better to use split-tunnel mode VPN as it does not take much of the network bandwidth.

For split-tunnel configuration, IPTables of the wireguard server has to be configured to allow only the website traffic

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -d tekcookie.com -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -d tekcookie.com -o eth0 -j MASQUERADE

In the VPN Client software, the AllowedIPs parameter should have the public IP address of the website.

AllowedIPs = 132.123.13.123/32, 111.222.212.123/32

If there is more than one IP to the website, it can be added as shown in the sample above. The IP address of the domain is obtained by nslookup to any DNS servers out on the internet.

By this, only the website traffic is tunneled through the VPN and other traffic takes the normal internet.

Cloudflare Firewall Rules

In the Cloudflare firewall, a rule is added to block all the traffic to the login URL except the traffic having the VPN server’s IP as the source address.

Navigate to Firewall > Firewall Rules and click the “Create a Firewall rule” button to create a new rule.

In the rule, custom login page URL is added with the VPN server’s IP address.

This is a “Block” rule which blocks all the traffic to https://domainname.com/randomurl if the source IP address does not match the VPN server’s IP address.

Means, this page is only accessible if the VPN is connected.

Along with the IP address filtering, there are many more filters available such as Country, cookie, user agent, client certificate verified, etc. Just explore it out and frame your own rules for better security.

Conclusion

This article explains how to secure the WordPress login. But this does not guarantee the overall website security from internet threats. For that, a vulnerability assessment has to be performed to identify the loopholes. The WordPress and the plugins have to be kept updated to protect from the known security issues. There are also many WordPress plugins that help to increase website security.

The sad truth of security is nothing is 100% secure.

Hope you liked this article and thank you for reading.