{"id":1443,"date":"2017-09-12T12:15:20","date_gmt":"2017-09-12T07:15:20","guid":{"rendered":"https:\/\/thedevcouple.com\/?p=1443"},"modified":"2017-09-12T13:17:43","modified_gmt":"2017-09-12T08:17:43","slug":"protect-websites-brute-force-attacks-cloudflare-free-page-rules","status":"publish","type":"post","link":"https:\/\/thedevcouple.com\/protect-websites-brute-force-attacks-cloudflare-free-page-rules\/","title":{"rendered":"Protect Websites From Brute Force Attacks With Cloudflare Free Page Rules"},"content":{"rendered":"

Today, I am super excited to help you reinforce your site’s security against the most common type of security breach, i.e.,\u00a0brute force attacks<\/strong>. The attack is pretty simple. You keep guessing the username and password, till you get it right. Usually,\u00a0they\u2019re performed by bots which are capable of trying thousands of combinations every minute.<\/p>\n

The internet is flooded with content featuring fixes to prevent brute force attacks. However, what makes this post different from others is that I’ll explain the same using an incredible free service<\/strong> which Cloudflare<\/strong><\/a> offers to its users.<\/p>\n

\n

\"\"<\/p>\n<\/div>\n

I am talking about the free\u00a0Page Rules<\/strong><\/a> which can help you block or scan visitors landing to your wp-admin<\/code>, wp-login.php<\/code>, and xmlrpc.php<\/code> and other parts of your WordPress website.<\/p>\n

\u26a1\ufe0f\u00a0Cloudflare<\/h2>\n
\n

\"cloudflare\"<\/p>\n<\/div>\n

Those who know little about Cloudflare<\/a> then, it delivers services like CDN, DNS, web security, and optimization<\/strong>. Precisely, it makes a website fast and safe to use. My first interaction with Cloudflare was about their managed DNS service. It manages all of my domains through its user-friendly interface.\u00a0Once my website is a part of the Cloudflare’s community, it routes my web traffic through its network.<\/p>\n

An interesting feature which I’m going to share is that by linking your domains to Cloudflare’s DNS, you get access to three free page rules. These can be implemented anywhere in your websites to block threats and limit bots hence, protecting your bandwidth and server resources.<\/p>\n

And trust me I’m pretty happy with this service. All of my\u00a0Cloudflare-powered websites have experienced\u00a0a significant improvement against brute force attacks. Or let me say that now there are hardly\u00a0any failed login attempts.<\/p>\n

\ud83d\udcdd Page Rules Overview<\/h2>\n
\n

\"page<\/p>\n<\/div>\n

Broadly speaking, Page Rules<\/strong> allow you to perform multiple tasks on the page’s URL like security, caching, redirects, enabling and disabling<\/strong>\u00a0of various services. However, the scope of this article revolves around how these can be implemented to prevent brute force attacks. So, let’s stick to that.<\/p>\n

A Page Rule responds to brute force attacks which are made on your\u00a0wp-admin<\/code>, wp-login.php<\/code>, and xmlrpc.php<\/code>\u00a0files. It only happens when a given URL pattern matches the following format:<\/p>\n

<scheme>:\/\/<hostname><:port>\/<path><\/code><\/p>\n

An example using each component would be:<\/p>\n

yourdomain.com\/wp-admin<\/code><\/p>\n

Both the scheme<\/em> and port<\/em> components are optional. Omitting these two would mean that the URL matching is done for both\u00a0http:\/\/<\/code>\u00a0and\u00a0https:\/\/<\/code>\u00a0protocols and on all ports. However, you can add an asterisk (*)<\/strong>\u00a0to match a series of similar patterns rather than just one.<\/p>\n

\u2705 Browser Integrity Check<\/h3>\n

While talking specifically about brute force attacks, Cloudflare offers an exclusive check feature to counter these. It’s called the Browser Integrity Check (BIC)<\/strong>. This feature functions similar to\u00a0a Bad Behavior request<\/strong>. It looks for common HTTP headers which are usually breached and denies access to your page. You can find this feature under the\u00a0<\/span>Firewall app<\/strong>.<\/span><\/p>\n

What I really like about BIC is that you can selectively enable it in areas which are most prone to brute force attacks by implementing a\u00a0<\/span>page rule. <\/span><\/p>\n

<\/article>\n

\u2699\ufe0f Setting Up Cloudflare Page Rules<\/h2>\n

By now, you know that Cloudflare acts like a firewall between your domain and server. Let’s find out how you can set these page rules with a free Cloudflare account.<\/p>\n

You get started with the initial setup. It begins with creating an account at Cloudflare and typing in your domain name. From here, Cloudflare will automatically fetch the DNS records from your current web host and display the new name servers. Next, you’ll switch to new name servers which Cloudflare scanners have generated for you. Once things get done,\u00a0you can setup Cloudflare page rules and other security features to protect your site.<\/p>\n

\u270c\ufe0f Adding a New Page Rule<\/h2>\n

Once the Cloudflare is integrated with your site, go to the Page Rules icon at the top. With free domains, you can make up to\u00a0three page rules per website. The number increases as you shift from Pro domains to enterprise level customers.<\/p>\n

\ud83d\udc49 To create a new Page Rule in the Cloudflare Dashboard, follow these steps:<\/p>\n

    \n
  • On the top-left corner click the drop-down menu<\/strong> to select your domain.<\/li>\n
  • Click the “Page Rules”<\/strong>\u00a0app.<\/li>\n
  • Select “Add new rule”\u00a0<\/strong>and\u00a0enter the pattern you want to match and choose the rules you want to apply.<\/li>\n<\/ul>\n
    \n

    \"adding<\/p>\n<\/div>\n

    \u00a0\ud83c\udf52\u00a0Adding Page Rules to Stop Brute Force Attacks<\/h2>\n

    Shortly, I’ve mentioned that the three zones that are most vulnerable to brute force attacks are your\u00a0wp-admin<\/code>, wp-login.php<\/code>, and xmlrpc.php<\/code>\u00a0files. So, I’ll create a rule for each of these files with relevant matches.<\/p>\n

    Page Rule Settings for\u00a0wp-login.php File<\/h3>\n

    This page rule is only for a bot or someone who’s trying to access thewp-login.php<\/code>\u00a0file and not the rest of your site.<\/p>\n

      \n
    • URL Matches<\/strong>: *yourdomain.com\/wp-login.php*<\/li>\n
    • First Setting<\/strong>: Browser Integrity Check \u2013 On<\/li>\n
    • Second Setting<\/strong>: Security level \u2013 I\u2019m under attack.<\/li>\n<\/ul>\n
      \n

      \"page<\/p>\n<\/div>\n

      Page Rule Settings for\u00a0wp-admin.php File<\/h3>\n

      This page rule is only for a bot or someone who’s trying to access thewp-admin.php<\/code>\u00a0file and not the rest of your site.<\/p>\n

        \n
      • URL Matches<\/strong>: *yourdomain.com\/wp-admin.php*<\/li>\n
      • First Setting<\/strong>: Browser Integrity Check \u2013 On<\/li>\n
      • Second Setting<\/strong>: Security level \u2013 I\u2019m under attack.<\/li>\n<\/ul>\n
        \n

        \"page<\/p>\n<\/div>\n

        Page Rule Settings for xmlrpc.php File<\/h3>\n

        This page rule is only for a bot or someone who’s trying to access thexmlrpc.php<\/code>\u00a0file and not the rest of your site.<\/p>\n

          \n
        • URL Matches<\/strong>: *yourdomain.com\/xmlrpc.php*<\/li>\n
        • First Setting<\/strong>: Browser Integrity Check \u2013 On<\/li>\n
        • Second Setting<\/strong>: Security level \u2013 I\u2019m under attack.<\/li>\n<\/ul>\n
          \n

          \"\"<\/p>\n<\/div>\n

          The final result is seen in the screenshot below where I’ve added three free page rules for my demo site a2podcast.com.<\/p>\n

          \n

          \"\"<\/p>\n<\/div>\n

          \ud83d\udce3 All these page rules are applied based on the order they appear. If you want to change the position of a page rule, you can reorder it by moving it up or down on the list using the icon on the left-hand side.<\/strong><\/em><\/p>\n

          That’s it for today. I think this is an intelligent move to protect your WordPress sites against brute force attacks. I am using page rules on my websites, and the results are mind boggling. Now I can sit back and relax and let Cloudflare protect my sites. You should try it out as well and let me know your feedback about it.<\/p>\n","protected":false},"excerpt":{"rendered":"

          Today, I am super excited to help you reinforce your site’s security against the most common type of security breach, i.e.,\u00a0brute force attacks. The attack is pretty simple. You keep guessing the username and password, till you get it right. Usually,\u00a0they\u2019re performed by bots which are capable of trying thousands of combinations every minute. The […]<\/p>\n","protected":false},"author":2,"featured_media":1531,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":""},"categories":[1],"tags":[35,7,27],"coauthors":[],"jetpack_featured_media_url":"https:\/\/thedevcouple.com\/wp-content\/uploads\/2017\/09\/Cloudflare-Page-Rules-1.jpg","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/posts\/1443"}],"collection":[{"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/comments?post=1443"}],"version-history":[{"count":0,"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/posts\/1443\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/media\/1531"}],"wp:attachment":[{"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/media?parent=1443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/categories?post=1443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/tags?post=1443"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/thedevcouple.com\/api\/wp\/v2\/coauthors?post=1443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}