Previously on Tim’s Tech Thoughts, I used the plugin MiniOrange to have 2 factor authentication required for logging into the WordPress admin. This worked fairly well, however during upgrades I had been accidently locked out more than once. Since I’ve been using Cloudflare for quite a while, and more recently starting using Cloudflare Tunnels for my lab and Mastodon server, I wanted to use the Zero Trust platform to also protect my wordpress site!
With an application protected with Cloudflare Zero Trust, anytime someone attempts to access that URL, Cloudflare will capture them and only let them through if they meet the requirements setup for authentication. In my case, authentication with Google.
Once logged into the Zero Trust dashboard, Authentication can be configured under Settings, Authentication. By default, a One-time Pin option is available, which will send a code to the user’s email address that can then be entered onto the sign in page. Clicking Add New will show all the auth options available for Zero Trust, as well as the instructions for setting it up.
Since Cloudflare’s documentation is very easy to follow, I won’t cover setting up Google as an identity provider in this post. After the identity provider is configured, we will want to setup access to our WordPress application. This requires that Cloudflare is the authoritive DNS provider for the domain.
WordPress Application Config
In the Zero Trust dashboard, selct Access, and then Applications – followed by + Add an application. There are 4 types of applications that can be added: Self-hosted, SaaS, Private Network, and Bookmark. In this example, we are using Self-hosted.
Once Select is clicked, the Configure app page appears and we can give our application a name and setup the domain and path information. I named the application “wordpress” and chose my domain tsmith.co from the drop down list. With WordPress, there are 2 paths that will need protecting. Unfortunatly, we can only enter 1 path per application, so the workaround is simply to create a second application after the first has been completed. The first path I want protected is wp-admin*.
Identity Providers
Scrolling down, the Identity Providers section because visible, and by default is set to “Accept all available identity providers.” Since I only want to use Google and not a one-time pin, I de-selected Accept all available identity providers and unchecked One-time PIN as well. The bottom option I left disable to start, so I can see the capture process, and be required to click on the Google Workspace button. However, if I enabled Instant Auth and was already logged into my Google Workspace account, then I would have been instantly redirected into the WordPress login page as I was already authenticated with Google. Click Next.
Configure Rules
The rules page allows a policy to be setup that defines what users, once authenticated, have access to the application. Since I am the only admin on my WordPress site, I created a policy name of “onlyme” and set the Action to Allow. Under Configure rules, I chose the Selector or Emails, and set a value of “[email protected]”. Then finished by clicking Next, and then on Add Application.
Rinse and Repeat
The final step is to simply create a second Application but this time set the Path to “wp-login.php*” instead of “wp-admin*” since this is another way to access the admin page login. Once the 2nd application was created similar the the first, I tested it out in an incognito browser window, and it worked like a charm!
FYI I had issues blocking wp-admin* as this also blocks access to wp-admin/admin-ajax.php which is used to lots of frontend functionality. Elementor forms also post submissions to that file so it breaks their forms.
If you use wp-login.php* instead, then it blocks access to the login form. Logged out users can’t access wp-admin/ without first going through wp-login.php
Good to know. I didn’t have any issues with anything on the front end, but I don’t have much extra. I do already have a rule for wp-login.php as well
Thanks, Tim, it’s nice of you to share your thoughts.
I’m fretting about securing a WordPress site and figure to buy three YubiKey 5Ci (one for the safe, one for myself and wife). This for 2FA (also fretting about phishing and SIM swap attacks). Over the top for a mom & pop business website plus a separate blog site? Dunno.
Anyway, question for you; on the *Add a log-in method, Select an Identity provider*, is the One-time PIN something like a YubiKey?
Finally, within this reddit thread: https://old.reddit.com/r/Wordpress/comments/1cqcw7h/lock_down_wp/
. . . these suggestions were made;
1. Use a Web Application Firewall. Disable xmlrpc.php. Disable direct php file execution. Keep the site updated.
2. Move the login page to something non-standard so that it’s not readily available to anyone who wants to try to brute force it.
Thoughts? Especially on non-standard login page but also on the business on disabling. Many thanks.
There’s plugins that you can use for wordpress to allow for a yubikey, but with cloudflare it’s just external authentication providers (or a pin / emailed code). So like Google, facebook, Microsoft, etc. Since I use google for mine, in my Google accounts I require a 2nd factor (either a key or a authenticator code) so in that regard, I have enabled 2fa for accessing WP.