Require known IP addresses in site admin area
If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your site's admin area by blocking requests for access to admin paths that do not come from a known IP address.
This example custom rule limits access to the WordPress admin area, /wp-admin/, by blocking requests that do not originate from a specified set of IP addresses:
-
When incoming requests match:
Field Operator Value IP Source Address is not in 10.20.30.40192.168.1.0/24And URI Path wildcard /wp-admin/*If you are using the Expression Editor:
(not ip.src in {10.20.30.40 192.168.1.0/24} and http.request.uri.path wildcard "/wp-admin/*") -
Action: Block
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
