Require known IP addresses in site admin area

If an attack compromises the administrative area of your website, the consequences can be severe. With custom rules, you can protect your site’s admin area by blocking requests for access to admin paths that do not come from a known IP address.

This example custom rule limits access to the WordPress admin area, /wp-admin/, by blocking requests that do not originate from a specified set of IP addresses:

Expression: (not ip.src in {10.20.30.40 192.168.1.0/24} and starts_with(lower(http.request.uri.path), "/wp-admin"))
Action: Block

To prevent attackers from successfully using a permutation of /wp-admin/ such as /wP-AdMiN/, the expression uses the lower() transformation function to convert the URI path to lowercase.

Other resources

Use case: Allow traffic from IP addresses in allowlist only

Was this helpful?

Resources
API
New to Cloudflare?
Products
Sponsorships
Open Source

Support
Help Center
System Status
Compliance
GDPR

Company
cloudflare.com
Our team
Careers

Tools
Cloudflare Radar
Speed Test
Is BGP Safe Yet?
RPKI Toolkit
Certificate Transparency

Community
X
Discord
YouTube
GitHub

2025 Cloudflare, Inc.
Privacy Policy
Terms of Use
Report Security Issues
Trademark