Cloudflare Docs

Cloudflare Docs

Overview
About
Actions
IP Lists
Order and priority
Manage rules in the dashboard
Create, edit, and delete rules
Edit rule expressions
Preview rules
Use IP Lists
Work with lists
Manage IP List items
Use lists in expressions
Create a mTLS rule
Manage rules via the APIs
Firewall Rules API
JSON object
Endpoints
POST example
GET examples
PUT examples
DELETE examples
Cloudflare Filters API
What is a filter?
JSON object
Endpoints
POST example
GET examples
PUT examples
DELETE examples
Expression validation
Rules Lists API
JSON object
Endpoints
Call sequence
Common use cases
Block Microsoft Exchange Autodiscover requests
Block requests by Threat Score
Challenge bad bots
Exempt partners from Hotlink Protection
Require a specific cookie
Require a valid HMAC token
Require specific HTTP headers
Require specific HTTP ports
Site administration — Require known IP addresses
Stop R-U-Dead-Yet? (R.U.D.Y.) attacks
Update firewall rules for customers or partners
FAQ

Site administration — Require known IP addresses

If an attack compromises the administrative area of your website, the consequences can be severe. With firewall rules, you can protect your site’s administrative area by blocking requests for access to administrative paths that do not come from a known IP address.

The example below limits access to the WordPress administrative area, /wp-admin/, by blocking requests that do not originate from a specified set of IP addresses.

To prevent attackers from successfully using a permutation of /wp-admin/ such as /wP-AdMiN/, use the lower() transformation function to convert the URI path to lowercase:

Expression	Action
`(not ip.src in {10.20.30.40 192.168.1.0/24} and lower(http.request.uri.path) contains "/wp-admin")`	Block