19/06/2020

Protect WordPress with CloudFlare Access

Cloudflare Access is a very ingenious way to protect critical parts of different services, such as maintenance sign-in pages. Cloudflare access is a service that in many cases can replace the use of in-house VPN services. If cloudflare is still unknown to you, then I recommend reading our previous article on cloudflare deployment.

Cloudflare Access from a technical point of view

If you're not interested in technology, but you want to take the security of your WordPress site to a new level, for example, skip this point.

Cloudflare Access is an authentication system that sits between you and your server. Its mission is to prevent unknown parties from accessing critical parts of your online service. So the user needs to identify themselves first - before they can even navigate the browser to the login pane of the site. Cloudflare mimics Google's BeyondCorp system and brings beyondcorp's pros to everyone.

Authentication

Authentication takes place, for example, with a Google account, Azure Active Directory, or Okta. Cloudflare Access therefore supports the largest and most common authentication procedures. You can also use e-mail to identify yourself.

WordPress dashboard security

Cloudflare Access helps protect almost all pages on the network that need to be restricted. WordPress sign-in page is not very secure as standard. The /wp-admin/ page is almost invariably attacked daily by automatic scanners online. This page should therefore be protected as much as possible. A really good password and password manager already significantly improves security, but constant intrusion attempts by heavy scanners may slow down the functionality of the entire site. Cloudflare Access helps protect your site from these attacks because scanners or other intruders can't even connect to your site's /wp-admin/ page. When an attacker visits the dashboard sign-in page, they first find themselves on cloudflare's authentication page. If an attacker tries to crack this page, they will attack Cloudflare and not your page.

Cloudflare Access deployment

NOTE! This instruction assumes that you have already activated Cloudflare for your site. If you haven't done this, you can follow our Cloudflare deployment blog post.

1. Cloudflare Dashboard

Open the Cloudflare dashboard and navigate to "Access". Click "Manage access" and select many users need access to the WordPress dashboard. Finally, press "Continue". Cloudflare Access is free for the first five users. After five users, the price is $3/user/month.

2. Authentication

Scroll to the next item "Login method". Press "Add" to add a new authentication. We use email and a Google account as an example. With the help of email, authentication is done with "One-Time pin" authentication. One-Time pin doesn't require any more configuration at this point. Google authentication requires action in the Google Cloud console. If you don't want to use Google authentication, you can go to the next point.

Google Account Authentication

If you want to identify yourself to Cloudflare Access using a Google account, follow these steps.

  1. Sign in to the API management side of the Google Cloud console.
  2. Press "Create" to create a new project.
  3. For example, name the project "Cloudflare Access" and press "Create".
  4. Press "Create Credentials" and select "OAuth Client ID".
  5. If you see a notification that says "Configure Consent Screen", press it and follow the instructions.
  6. Fill in the "Product Name" field and hit save. Product Name is visible to users when authentication.
  7. Under "Application Type" select "Web Application". Enter a name for the app and under "Authorized Javascript Origins" fill in "https://omadomain.cloudflareaccess.com" (replace "omadomain" with what you have specified in "Login Page Domain" on the Cloudflare access page).
  8. Under "Authorized redirect URIs" fill in the following: "https://omadomain.cloudflareaccess.com/cdn-cgi/access/callback" and press "Create".
  9. Copy both: "client ID", as well as "secret" to cloudflare access configuration.

3. Protection and rights assignment

Scroll to "Access Policies" and press "Create Access Policy". We will start protecting the WordPress /wp-admin/ page. We will block access to the login page if the user fails to identify themselves in the previously defined ways.

  1. Under "Application Name" fill in the site name. For example, "omadomain.fi WordPress admin".
  2. Under "Application Domain" in the "path" field, enter "wp-admin". If you use any subdomain, fill it correctly.
  3. In the "Session duration" item, you must specify how long the user's authentication is valid.
  4. Under "Policies," type "Allow" as the name of the first rule, for example, and under "Decision," select "Allow".
  5. Under "Include," select "Email" or if you want to allow the entire organization, then "Emails Ending in" and enter the email address of the person you want to give access to.
  6. We also want another rule that prevents others from accessing the page. Press the "Add new policy" button.
  7. Name the rule "Deny" and select "Deny" under "Decission".
  8. Under "Include", select "Everyone". Finally, press the "Save" button.

Test cloudflare access functionality

Once you have saved the rules, you can go and try the WordPress dashboard. When you try the /wp-admin/ page, your browser is redirected to the Cloudflare access authentication page. Identify yourself and you will be able to continue as normal with WordPress login.

Cloudflare Access is a really effective way to protect your company's critical pages without having to build a complex VPN network. You can also use the same help to help protect other sites. You will only replace the address with the address of the page you want to protect.

The article was written by Tuomas Lindroos
Entrepreneur in the company Tuonetti - Turbo nerd web developer who specializes in creating websites and developing web servers.