You can add an extra layer of security to your WordPress website using the Cloudflare service. Here is a list of rules that you can apply to your website in Cloudflare settings to improve security.

Secure WordPress login page and administrator section

Secure WordPress admin and login URL from bot attacks by making sure that you add rules as per the given screenshot below.

Secure wp-login.php URL
Secure WordPress admin section and disable cache

Disable access to the xmlrpc.php file

You can disable access to the xmlrpc.php file and allow only certain IP addresses. You may want to allow Jetpack or any other service.

The AS Number 2636 is jetpack number, you can use it to whitelist jetpack services.

You can copy the expression code below to implement the rule.

(http.request.uri.path eq "/xmlrpc.php" and ip.geoip.asnum ne 2635)

You can also completely block access to the xmlrpc.php file via the expression below.

(http.request.uri.path contains "xmlrpc.php")
Block xmlrpc.php file completely using Cloudflare firewall rule.

You can also redirect any traffic to xmlrpc.php file to home page or any other URL using page rule.

Block direct access to PHP files in the wp-content and wp-include folder

Direct access of PHP file can be blocked in wp-content or wp-includes folder.

Add Captcha or Challenge users who have a higher threat score

Cloudflare has a Threat Score system, that gives a score to IP addresses based on their reputation. You can use it to block or challenge visitors with captcha. Use this option carefully not to block or discourage your real human visitors.

Secure requests with “wp-“

You can also secure any URL that has wp- , remember to put this rule below the wp-admin or wp-login.php RULE.

Do you use any of the rules, or you have any questions? Let me know in the comment section 🙂