How to Secure Login Pages w/ Cloudflare Access Feature?

How to Secure Login Pages w/ Cloudflare Access Feature?

For a long time, finding a better way to secure our login page, a better way to protect wp-login.php page from attackers. And finally a solution! Cloudflare Access is protecting our login page now.

Cloudflare Access is really a nice feature by Cloudflare – the largest security provider available on the web with more than 81% market share of reverse proxy services for all websites!

In this tutorial, we’d like to share why we use Cloudflare Access to safeguard our login page and how you can implement this on your site to protect sensitive pages from attackers.

Why We Use Cloudflare Access?

First, visit our login page to witness the magic, the login page is protected by Cloudflare Access! You can no longer access the page and try different types of usernames and passwords!

By using the feature on the login page, we are enjoying many benefits. It is not like the usual two-factor authentication, it’s actually two-factor authentication of the login page by using Cloudflare’s secure server! And you can rely on Cloudflare – the biggest name in the security field.

If you use a two-factor authentication plugin, attackers have options to try different usernames and passwords because two-factor comes later. By doing the process again and again, attackers can do serious damage to your website’s server, and the server may go down in the process.

That’s why we are using Cloudflare Access over two-factor authentication. It doesn’t allow attackers to access the protected page before authenticated. And your server will be safe as it should be because everything will happen on Cloudflare’s secure server.

The best thing is, there’s an access audit within the Cloudflare dashboard! You can monitor who had succeeded or failed to access the protected pages and when! You can also time-limit how long a user will have access to the protected page and you can also revoke all existing access with a click!

Want to learn more? Read their introduction blog post to learn more about the Cloudflare Access.

Secure Login Pages w/ Cloudflare Access

There are many authentication options available in Cloudflare Access settings. We will not discuss all authentication options here. We’ll show you how to enable email authentication to access your website’s login page. To enable email authentication for a page, do the following:

1. Open Cloudflare Access Settings Page

Login to your Cloudflare account and go to Access settings page. The page looks like this:

Cloudflare Access Settings Page

IMPORTANT: You may need to subscribe to Cloudflare Teams to enable the Access feature for your account. Don’t worry! You can be part of the Cloudflare Teams for free, the Access feature is free for up to 50 users/month, and it should be enough for small to medium-sized companies.

2. Add One-Time Pin Login Method

Click on “Add” available under the “Login Methods” section (see the previous image) and then select the “One-Time Pin” option from the options.

3. Setup Login Page Domain

Optional! Set up this under the “Login Page Domain” section (see the previous image). There should be a value already, so you may ignore this if you are okay with the existing value.

4. Customize Your Login Page

Optional! You can customize the login page by clicking on the image under the “Customize Your Login Page” section (see the previous image) if you wish to. You can customize everything to your liking like the image! Don’t forget to click on “Save” to save modifications.

Cloudflare Access Login Page Customize

5. Create Access Policy

Most important step! You have to create an access policy for your protected pages. To create an access policy click on “Create Access Policy” (see the first image) and then set up everything like the image.

Cloudflare Edit Access Policy

You can change wp-login.php to any page you want to protect! Don’t forget to include your email addresses in the “Emails” input field where you want to get the authentication code.

Click on “Save” after modification. You can edit the created access policy and can revoke existing access anytime as you wish! You can also create another access policy to protect another page.

Result After Modifications

After all the modifications to secure a login page, the authentication page looks like the image:

Cloudflare Access Auth Page

You have to enter the email that you set up in the access policy and then click on the “Send me a code” button. If your email matches with the first one, you will get an authentication code by the email.

Now Copy the authentication code from the email you just received and paste it to the next window and click on the “Sign in” button to access your protected login page.

Cloudflare Access Auth Waiting

After this, you will be redirected to the page you protected as you’re authenticated. By this process, you can protect any page you want including the login page.

Another good thing is, you can monitor access logs within the Cloudflare Access page. By the way, you should not miss the feature anyway. It really ensures better login page security.

That’s it. Have a say? Let’s discuss through comments. We will be really happy to assist you.

6 Comments on this.

  1. Hello

    Good description – thanks. My problem is that I have users on the site who can’t log out now. I use WooCommerce and it seems that the logout path also goes through wp-login.php… do you have any ideas?

    BR
    Alain

    Reply
  2. Hello

    I have the following problem. If this is activated like this, customers (when using e.g. WooCommerce) can no longer log out either. If the customers then want to log out, it goes via the URL wp-login.php. Do you have a solution for this?

    BR
    Alain

    Reply
  3. Very good article, thank you!

    I’ve tried to setup Cloudflare Access using your tutorial, but it’s a little bit too complex if you just need a simple User / Password protection. And being forced to add a payment method even for the free tier is bothering me.

    I’ve finally protected my site using Octauthent ( https://octauthent.com ), which is also based on Cloudflare and works very well for me.

    Have a good day!

    Reply

Leave a Reply

Your email address will not be published. Your comments must follow our guidelines.