London Office 128 City Rd, EC1V 2NX UK

Zero Trust platform is one of the most effective ways to secure your WordPress admin login.

Cloudflare’s Zero Trust platform is one of the most effective ways to secure your WordPress admin login.

This method adds a security gate in front of your WordPress login screen (wp-login.php), requiring a one-time code (OTP) via email before the user even sees the traditional WordPress username/password fields. This stops brute-force attacks cold.

The feature that enables this is called Cloudflare Access (part of the Zero Trust suite), and the authentication method is the One-Time Pin (OTP).

How to Implement Cloudflare Zero Trust with Email OTP

This process is handled entirely within the Cloudflare dashboard and requires no changes to your WordPress files (no plugins, no code editing).

Prerequisites

  1. Your domain must be active on Cloudflare and using Cloudflare’s nameservers.
  2. Your domain’s DNS record for your site (the A or CNAME record) must be proxied (the cloud icon must be orange).
  3. You need a Cloudflare Zero Trust account (the free tier supports up to 50 users and includes this feature).

Step-by-Step Configuration

  1. Launch the Zero Trust Dashboard:
    • Log in to your Cloudflare account.
    • Navigate to the Zero Trust dashboard.
  2. Configure Authentication:
    • Go to Settings > Authentication.
    • Under Login Methods, ensure One-Time Pin is enabled (it usually is by default).
  3. Create an Access Application:
    • In the Zero Trust dashboard, go to Access > Applications.
    • Click Add an application and select Self-hosted.
  4. Define the Application:
    • Application name: E.g., WordPress Admin Access
    • Domain: Select your domain from the dropdown.
    • Subdomain: Enter your subdomain (e.g., www or leave blank).
    • Path: Enter the path you want to protect. The most critical paths are:
      • /wp-login.php
      • /wp-admin* (The asterisk is important to cover all pages within the admin area).
      • Tip: You may need to create two separate applications to protect both the /wp-login.php and the /wp-admin* paths, although often just protecting /wp-admin* will force a redirect through the login page.
  5. Set Up the Policy (The Zero Trust Rule):
    • Under Identity Providers, make sure One-Time Pin is selected.
    • Give your policy a name (e.g., Admin Access Policy).
    • Action: Select Allow.
    • Configure rules:
      • Selector: Select Emails.
      • Operator: Select in or Ends with (if you want to allow all users from a domain like @yourcompany.com).
      • Value: Enter the specific email addresses that are allowed to receive the login code (e.g., [email protected]).
  6. Save and Deploy:
    • Click Next, then Add application.

Testing the Setup

  1. Open an Incognito/Private browser window.
  2. Navigate to your WordPress login page (e.g., https://yourdomain.com/wp-admin/).
  3. Instead of seeing the WordPress login form, you will be redirected to a Cloudflare Access page that prompts you to Enter your email.
  4. Enter one of the email addresses you whitelisted in your policy.
  5. Cloudflare will send a one-time code to that email address.
  6. Enter the code on the Cloudflare page.
  7. Once verified by Cloudflare, you will be directed to the standard WordPress login screen to enter your username and password.

This creates a powerful, identity-aware layer of security that separates the front door (Cloudflare Access) from the application door (WordPress login).