Cloudflare DNS, WAF, SSL, DDoS & Zero Trust Access for WordPress
Configured Cloudflare end-to-end on a WordPress site, locked wp-admin behind email-verified Zero Trust Access, and repaired DNS records broken during migration.
April 2026/International/2 days
StackWordPress · Cloudflare · Cloudflare Zero Trust Access · Cloudflare WAF
The situation
A WordPress site owner wanted Cloudflare set up properly: DNS, WAF, SSL, DDoS protection, and bot filtering. They also wanted wp-admin locked to just themselves, so anyone else hitting /wp-admin would get blocked before the WordPress login page even loaded. A previous DNS migration had left a few records broken, which was causing intermittent routing issues.
What I found
The wp-admin login page was publicly reachable, wide open to credential stuffing and brute force. There were no WAF rules filtering anything at the edge, no bot-filtering layer in front of the origin, and the SSL mode was not set to the strongest option available. On top of that, a prior Cloudflare migration had left a handful of DNS records missing or pointing to the wrong place.
What I did
I configured Cloudflare end-to-end: DNS, WAF, SSL, and DDoS protection. I built a set of WAF rules tuned to the site's actual traffic pattern, and added bot-filtering rules to drop hostile user agents and data-center ASNs before they reach the origin. For the login lockdown, I deployed Cloudflare Zero Trust Access with email verification on /wp-admin and /wp-login.
With protection in place, I went back and repaired the DNS records that the earlier migration had broken. I documented the whole setup so the owner can manage rules afterwards without needing me.
How it landed
Only the site owner can reach wp-admin now, gated by Cloudflare Access email verification. Everyone else gets blocked before the WordPress login page even loads. DNS routing is back to normal once the records the earlier migration had broken were fixed.
In their words
“Tanveer configured Cloudflare WAF rules and Zero Trust Access on my WordPress sites. Now only I can access wp-admin through email verification, and everyone else gets blocked before they even see the login page. He also fixed DNS records that broke during the Cloudflare migration. Knows his stuff, explains things clearly, and gets it done fast. Recommended.”