Restricting your wp-admin access by using simple Apache’s .htaccess rules is easy, we know.
Just this rule and that’s all
<Files wp-login.php> Order Deny,Allow Deny from all Allow from IP1 Allow from IP2 #and so on </Files>
But this would not work if you are using Cloudflare. Just because Cloudflare is middle layer between your website and your website visitor, and you get request with Cloudflare’s own IP-s, not clients’ IP-s.
In order not to lose this information about visitor IP, Cloudflare sends us real visitor’s IP as $_SERVER[‘CF-Connecting-IP’] variable.
So, we just need to adjust our htaccess rule and pass $_SERVER variable there, instead of using IP addresses.
Here is simple htaccess code which works OK with Cloudflare:
SetEnvIF CF-Connecting-IP "SOMEIPHERE1" MyIP SetEnvIF CF-Connecting-IP "SOMEIPHERE2" MyIP2 <Files wp-login.php> Require env MyIP Require env MyIP2 </Files>
That’s all. After saving this block to htaccess, your wp-admin would open for specified IP addresses only.