Cloudflare Docs
Visit WAF on GitHub
Set theme to dark (⇧+D)

Require known IP addresses in site admin area

If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your site’s admin area by blocking requests for access to admin paths that do not come from a known IP address.

The example below limits access to the WordPress admin area, /wp-admin/, by blocking requests that do not originate from a specified set of IP addresses.

To prevent attackers from successfully using a permutation of /wp-admin/ such as /wP-AdMiN/, use the lower() transformation function to convert the URI path to lowercase:

Expression Action
(not ip.src in {} and starts_with(lower(http.request.uri.path), "/wp-admin")) Block