Securing WordPress with CloudFlare Access

Cloudflare Access is a very ingenious way to protect critical parts of various services, such as admin login pages. Cloudflare access is a service that in many cases can replace the use of in-house VPN services. If you are not familiar with Cloudflare, I recommend you read our previous article on Cloudflare deployment.

Cloudflare Access from a technical perspective

If you're not interested in technology, but want to take your WordPress site to the next level of security, for example, skip this section.

Cloudflare Access is an authentication system that sits between you and your server. Its purpose is to prevent unknown parties from accessing critical parts of your online service. So the user has to authenticate first - before they can even navigate to the site's login screen in their browser. Cloudflare mimics Google's BeyondCorp system and brings the benefits of BeyondCorp to everyone.

Identification

Authentication can be done using a Google Account, Azure Active Directory or Okta, for example. Cloudflare Access therefore supports the largest and most common authentication methods. You can also use email to authenticate if you wish.

WordPress control panel security

With Cloudflare Access, you can protect almost any page on the web that needs to be restricted. The WordPress login page is not very secure by default. The /wp-admin/ page is almost invariably attacked online by automated scanners on a daily basis. This page should therefore be protected as much as possible. A really good password and password manager already significantly improve security, but constant intrusion attempts by heavy scanners can slow down the whole site. With Cloudflare Access, you protect your site from these attacks, as scanners or other intruders cannot even connect to the /wp-admin/ page of your site. When an attacker visits the login page of the control panel, they will first find themselves on the Cloudflare login page. If an attacker tries to break this page, they are attacking Cloudflare, not your page.

Cloudflare Access deployment

NOTE! This guide assumes that you have already activated Cloudflare for use on your website. If you haven't done so you can follow our Cloudflare deployment blog post.

1. Cloudflare control panel

Open the Cloudflare control panel and navigate to "Access". Click on "Manage access" and select the number of users you need to access the WordPress control panel. Finally, press "Continue". Cloudflare Access is free for the first five users. After five users, the price is $3/user/month.

2. How to identify yourself

Scroll to the next section "Login method". Press "Add" to add a new authentication method. We use email and Google accounts as examples. Authentication by email is done with a "One-Time pin" authentication. The One-Time pin does not require any further configuration at this stage. Google authentication requires action in the Google Cloud console. If you do not want to use Google authentication, you can go to the next section.

Signing in with your Google Account

If you want to sign in to Cloudflare Access using your Google Account, follow these instructions.

1. Log in to the API management side of the Google Cloud console.
2. Press "Create" to create a new project.
3. For example, name the project "Cloudflare Access" and press "Create".
4. Click on "Create Credentials" and select "OAuth Client ID".
5. If you see a message saying "Configure Consent Screen", press it and follow the instructions.
6. Fill in the "Product Name" field and press save. The Product Name is displayed to users upon login.
7. Select "Web Application" from "Application Type". Give the application a name and in the "Authorized Javascript Origins" field, fill in "https://omadomain.cloudflareaccess.com" (replace "domain" with the one you have specified in the "Login Page Domain" field on the Cloudflare access page).
8. In the "Authorized redirect URIs" field, enter "https://omadomain.cloudflareaccess.com/cdn-cgi/access/callback" and press "Create".
9. Copy both "client ID" and "secret" to the Cloudflare Access configuration.

3. Protection and assignment of rights

Scroll down to "Access Policies" and click on "Create Access Policy". We will start securing the WordPress /wp-admin/ page. We will block access to the login page if the user fails to authenticate using the previously defined methods.

1. In the "Application Name" field, fill in the name of the website. For example, "omadomain.fi WordPress admin".
2. In the "path" field of "Application Domain", enter "wp-admin". If you are using a subdomain, please fill it in correctly.
3. In the "Session duration" field, you should specify how long the user authentication will be valid.
4. Under "Policies", enter the name of the first rule, for example "Allow IT admin access" and select "Allow" under "Decision".
5. In the "Include" section, select "Email" or if you want to allow the whole organisation, then "Emails Ending in" and enter the email address of the person you want to give access to.
6. We also want another rule that prevents others from accessing the page. Press the "Add new policy" button.
7. Name the rule "Deny access" and select "Deny" under "Decision".
8. Under "Include", select "Everyone". Finally, press the "Save" button.

Test the functionality of Cloudflare access

Once you've got the rules saved, you can go ahead and try accessing the WordPress control panel. When you try to access the /wp-admin/ page, your browser will be redirected to the Cloudflare access login page. Log in and you can continue with your normal WordPress login.

Cloudflare Access is a really effective way to protect your company's critical pages without having to build a complex VPN network. You can also use the same pattern to protect other sites. Just replace the address with the address of the page you want to protect.