Using Cloudflare Access to protect WordPress Admin sites

If you are hosting a blog like me, you can use Cloudflare to protect and accelerate your website which I have described here –> https://msandbu.org/moved-my-blog-to-cloudflare/ that means that front-end traffic is handled by Cloudflare and then to my origin site.

Cloudflare recently introduced a new feature called Cloudflare access which allows you to securely publish web sites/applications trough their services and with it also combine access to a service using MFA trough any of the supported iDP services.

Now WordPress have described how you can password protect your WP-Admin and WP-Login URL using different security mechanisms ( https://wordpress.org/support/article/brute-force-attacks/ ) and also how you can protect the URL using IP restrictions and such. There are also plugins which you can use to add MFA solutions or integrate with a iDP, but the problem is that the plugin might be deprecated or lack of support for the future wordpress versions might render it useless. Therefore I like the approach Cloudflare has, where they apply this on a network level and not as part of wordpress.

Cloudflare can also apply different firewall rules which can also be used to mitigate attacks or abuse of for instance the xmlrpc.php which is used for WordPress to communicate with the outside (Which is soon to be deprecated) https://www.hostinger.com/tutorials/xmlrpc-wordpress

Now luckily as well, Terraform has support for these objects using the Cloudflare provider as well, which allows us to automate this setup. This is an example of setting up conmfiguration for an access application, setting up identity provider (against GitHub) and also attaching that GitHub iDP integration to the web site / application

provider "cloudflare" {
  version = "~> 2.0"
  email   = "YOUREMAILADDRESSUSEDATCLOUDFLARE"
  api_key = "YOURAPIKEY"
}

resource "cloudflare_access_application" "staging_app" {

  zone_id          = "YOURZONEID"
  name             = "Protect Wordpress Site Login"
  domain           = "DOMAINURL/SUBSITE/wp-admin"
  session_duration = "24h"
}

# Setting up GitHub Identity Provider (Requires approval in GitHub)

resource "cloudflare_access_identity_provider" "github_oauth" {
  account_id = "YOURCLOUDFLAREACCOUNID"
  name       = "GitHub OAuth"
  type       = "github"
  config {
    client_id     = "example"
    client_secret = "secret_key"
  }
}

# Setting up the access group,

resource "cloudflare_access_policy" "test_policy" {
  application_id = cloudflare_access_application.staging_app.id
  zone_id        = "YOURZONEID"
  name           = "staging policy"
  precedence     = "1"
  decision       = "allow"
  include {
    github {
      name                 = "my-github-team-name"
      identity_provider_id = cloudflare_access_identity_provider.github_oauth.id
    }
  }
}

Now when opening the website you will be greeted with this type of login-page, and being redirected to Github for OAuth authentication.

Using Cloudfront in front of the wp-login site (instead of using plugins) this means that you can also benefit from cloudflare’s protection mechanisms as well. Also the Terraform provider for Cloudflare also allows you to define Firewall rules and such, which you can find here –> https://www.terraform.io/docs/providers/cloudflare/index.html

 

Leave a Reply

Scroll to Top