Restrict wp-admin access by IP – when you are using Cloudflare

Restricting your wp-admin access by using simple Apache’s .htaccess rules is easy, we know.

Just this rule and that’s all

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from IP1
Allow from IP2 
#and so on
</Files>

But this would not work if you are using Cloudflare. Just because Cloudflare is middle layer between your website and your website visitor, and you get request with Cloudflare’s own IP-s, not clients’ IP-s.

In order to to lose this information about visitor IP, Cloudflare sends us real visitor’s IP as $_SERVER variable.

So, we just need to adjust our htaccess rule and pass $_SERVER variable there, instead of using IP addresses.

Here is simple htaccess code which works OK with Cloudflare:

SetEnvIF CF-Connecting-IP "SOMEIPHERE1" MyIP
SetEnvIF CF-Connecting-IP "SOMEIPHERE2" MyIP2
<Files wp-login.php>
Require env MyIP
Require env MyIP2
</Files>

That’s all. After saving this block to htaccess, your wp-admin would open for specified IP addresses only.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.