1. Help Center
  2. Tutorials
  3. How to harden WordPress Security between Cloud Servers and Cloudflare

How to harden WordPress Security between Cloud Servers and Cloudflare

2024-02-06 By Nathan 2577 Views linux windows cloudflare wordpress security
6 reviews

By utilizing these tools, you can safeguard your website against a variety of threats, including Denial of Service attacks, password guessing attempts, code injection vulnerabilities, and unauthorized SSH access attempts.


  1. Set up a WordPress Server instance. (If you already have one, you can skip this step and move on to preparing your Cloudflare account.)

  2. Create or log in to your Cloudflare account.

  3. Transfer your domain's name servers to Cloudflare. (Cloudflare needs your domain connected to your account before it can protect all your domain's DNS records. To do this, log in to your domain provider and change the name servers to the Cloudflare records provided in your account.)

  4. Configure your domain's A record to direct to your WordPress server.


Set up Cloudflare rules


When you use Cloudflare to hide your WordPress server's IP address, it keeps your server safe. Cloudflare also adds extra security features like encryption, protection against cyber attacks, and verifying if visitors are real people or bots.


Enable Proxying to hide the WordPress Server IP


Follow these steps to keep your server's IP address hidden using Cloudflare:

  1. Log in to your Cloudflare account.

  2. Find the Websites section.

  3. Click on Add a site to set up Cloudflare domain.

    wordpresscloudflare1

  4. Add the domain name and click Continue.

    wordpresscloudflare2

  5. From the menu on the left, look for DNS and then find Records under DNS. Click Add record to add a new record.

    wordpresscloudflare3

  6. Choose the record with A type and click Edit.

  7. Turn on the Proxy Status. It will change to Proxied.

  8. Click Save to activate the proxy for your domain's record.

    wordpresscloudflare4

  9. To double check whether your real server IP is hidden, use your computer's terminal to ping your domain name.


Set the SSL/TLS Encryption mode


Ensure strong encryption for your website by following these steps:

  1. Go to your Domain Management page.

  2. Click on SSL/TLS in the left menu.

  3. Choose Full (strict) to make sure all data between your WordPress server, Cloudflare, and visitors is encrypted.

  4. Scroll down to the SSL/TLS Recommender section and turn on the enable toggle button. This will give you suggestions if your SSL setup needs enhancements.

    wordpresscloudflare5


Configure Web Application Firewall (WAF) rules


Securing Your Site with Cloudflare’s Web Application Firewall (WAF). You can protect your site from certain threats using Cloudflare Web Application Firewall (WAF).

  1. Click Security on the left menu.

  2. Choose WAF.

  3. In Custom rules page, click + Create rule to make a new condition.

    wordpresscloudflare6

  4. Give your rule a name.

  5. Choose URI Full from the field dropdown.

  6. Keep the operator as equals.

  7. In the Value field, enter: https://example.com/wp-admin/script


    For example: https://hostingdemo1.com/wp-admin/admin-ajax.php?action=scriptalert('XSS Attack!');


    This script examines incoming HTTP requests and checks if their full URI matches "https://hostingdemo1.com/wp-admin/admin-ajax.php?action=scriptalert('XSS Attack!');".

    If a match is found, it's likely a security measure to detect and potentially block cross-site scripting (XSS) attacks, where malicious JavaScript is injected into a URL parameter. The alert message indicates a possible XSS attack attempt.

  8. Under Choose Action, pick Block.

  9. Click Deploy to activate your new WAF rule.

    wordpresscloudflare13


DDOS Cloudflare security


  1. Open the Settings drop down and select DDOS.

  2. In the section dedicated to HTTP DDoS attack protection, choose Deploy a DDoS override.

    wordpresscloudflare8

  3. Input a name into the Override Name section.

    wordpresscloudflare9

  4. Ensure that the DDoS L7 ruleset configuration values remain at their Default settings and proceed to the Rule Configuration section, and press the Browse Rules button.

    wordpresscloudflare10

  5. Tick the checkbox next to each rule you want to enable. Once you're prepared, press the Set Action button, and choose Block.

    wordpresscloudflare11

  6. Scroll down and click Next to save your rule changes.

    wordpresscloudflare12


By following this guide, the WordPress website can fortify its security defenses against a wide range of potential threats, including malicious bot attacks.

Furthermore, the implemented filters have the capability to deter any malicious bots attempting to access your WordPress site, ensuring that every visitor is a genuine human user.


Related Tutorials

What do you think about this article?

Rate this article
LayerStack Promotion
Need assistance?

Try this guide to receive free bundled services at signup on a new free account.

Sign Up

Your Feedback Is Important

We hope you’ll give the new products and updates a try. If you have an idea for improving our products or want to vote on other user ideas so they get prioritized, please submit your feedback on our Community platform. And if you have any questions, please feel free to ask in the Community or contact our Technical Support team.

Product Docs | API Docs | Technical Tutorial | FAQ | Community | LayerStack Main Site
©2024 LayerStack Limited.