Skip to content
Cloudflare Docs

Require known IP addresses in site admin area

If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your site’s admin area by blocking requests for access to admin paths that do not come from a known IP address.

This example custom rule limits access to the WordPress admin area, /wp-admin/, by blocking requests that do not originate from a specified set of IP addresses:

  • Expression: (not ip.src in {10.20.30.40 192.168.1.0/24} and starts_with(lower(http.request.uri.path), "/wp-admin"))
  • Action: Block

To prevent attackers from successfully using a permutation of /wp-admin/ such as /wP-AdMiN/, the expression uses the lower() transformation function to convert the URI path to lowercase.

Other resources