[chrismeller]

While a great idea in principle, this is... incomplete.

You can also do exactly the same thing with any web server. And you should. Just because you use Cloudflare doesn’t mean your server is not directly accessible on the internet. Sure, its IP is masked, but that doesn’t mean it’s suddenly invisible.

In reality this is just a much more advanced version of security through obscurity.

[levidurfee]

Thank you for your feedback! You're right, you can do this with any web server, but that is difficult for some people to implement. I'm not saying people shouldn't learn, and do difficult things to protect their websites, but starting with the Cloudflare Firewall is a step in the right direction.

What are the odds you can guess the IP address of my server? They're pretty slim I think. Also, if I use Cloudflare's Authenticated Origin Pulls, my web server won't respond to your request if you managed to find my IP.

Also, I'm not saying you shouldn't take other security measures, like having a secure password, use mod_security, etc. The intent of using these firewall rules are to prevent login attempts, or at least reduce the number of login attempts to your WP site.

Moreover, if I were to use Cloudflare Argo Tunnel, then it would mean my server is not directly accessible on the internet.

https://support.cloudflare.com/hc/en-us/articles/204899617-A... https://www.cloudflare.com/products/argo-tunnel/