Block Admin Area of your Website with Cloudflare

Today more than ever you need to lock down your Website, including the Admin area. If you were to take a look at the access to your Admin Area you would be astonished at the attempts of hackers trying to access and compromise your website. This blog article and video, will show you how to lock this section and even any section of your website. It's simple and free!

Areas of a website you may wish to Restrict Access or Block.

  • /wp-admin
  • /admin
  • /backend
  • /cms
  • /editor
  • /protected-area
  • /secure-area
  • /.htaccess
  • /.env

Cloudflare is know doubt one of the largest CDN Networks out there. Cloudflare has more than 80% of the market! Cloudflare does much more than simply caching the content of your website and making it faster. Cloudflare offers DDOS, custom rules, basic WAF firewalling, and the ability to block entire countries from accessing your website. This can all be done while giving yourself and your staff full access to the Admin area of your website or webserver.

Create a Cloudflare Firewall Block Rule

Log into your Cloudflare Account and navigate to the firewall section. Click on "Firewall Rules", and create a Block Rule, as described in the above video. Note the Double Brackets "((" and the "))" at the beginning and end of the Rule (if you have more than one item in your ruleset).

Example Cloudflare Firewall Block Rule

((http.request.uri.path contains "/admin/") or (http.request.uri.path contains "/backend") or (http.request.uri.path contains "/wp-admin") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/xmlrpc.php"))

Create an allow rule for your home or office network.

The next thing you are going to have to do is to allow access from your home or office network. You can do this by obtaining your IP address of your home router or office network gateway. Create a rule by allowing one or both of these IP's and any others you may wish to add to allow access. Make sure your allow rule is "above" the Block rule. If you have a dynamic IP address and your address changes periodically you can simple come back to cloudflare to update your record when your IP Address changes or you can by a VPN service with a static IP address.

Sample Cloudflare Firewall Allow Rule

((ip.src eq my-home-ip-address) or (ip.src eq my-business-ip-address))

Replace "my-home-ip-address" and "my-business-ip-address" with your actual IP Address (e.g.

Block the Backdoor (ByPass) to your Webserver


The problem with the above network is that a hacker will bypass the ClouldFlare network and directly attack your server once they obtain the IP address. All you have to do is search on google for "obtain IP from network behind clouldflare" and you will find it very easy to obtain.

One way to prevent your server from being attacked is to force all web traffic (port 80 and 443) through CloudFlare by blocking all other traffic, and allowing only traffic from CloudFlare's network. This can be done as the diagram below.


Ron Billings

Clustered Networks

Located in Edmonton, AB Canada, Clustered Networks was Incorporated in 2001 and has offered Network / Internet and IT Consulting services for over 20 years. We offer personalized service! Call Us Today! - Click Here for our Contact Info

#wp-admin #block #cloudflare

Posted in Linux Network Admin Tips, Network Security Tips, Tech How To on Sep 28, 2021