Category Archives: WordPress

CloudFlare Page Rules for WordPress Caching

CloudFlare only caches static content like css, jpg, etc. by default to enable faster load times for your site; however you can take advantage of Page Rules to make CloudFlare cache everything including the HTML. The problem with enabling this level of caching for WordPress is that it will cache:

  • The entire wp-admin section allowing a non-privileged user to load the admin site by typing in the URL
  • Preview URLs when you’re drafting a new page/post making it difficult to see your changes
  • wp-login.php getting you stuck in a redirect loop so you can’t login.

As a CloudFlare Free user, you will only have 3 Page Rules to work with; one will turn on caching of everything, leaving you with two rules to disable caching of the admin section, preview urls, and wp-login.php.

You could make a Page Rule with the pattern *domain.com/wp-* to prevent caching of both /wp-admin/ and wp-login.php; this leaves you with one rule left to prevent preview url caching with the pattern *domain.com/*preview=true*. However the pattern *domain.com/wp-* will also prevent caching of your static content since it matches the WordPress wp-content folder where most of it is located.

To solve this problem I used the WordPress plugin Rename wp-login.php to change my login URL to https://blog.thirdechelon.org/wp-admin[randomstring]/ – now you can prevent caching of the login page and admin sections with a single rule using pattern *domain.com/wp-admin* and you’ll still have two rules left to prevent caching of previews and to enable full caching of everything.

Below are the Page Rules I use for caching this blog (order matters); you’ll also want to install the WordPress Sunny Plugin to purge CloudFlare’s cache automatically when you make updates.

pagerule1pagerule2

Protect WordPress Login using Fail2Ban and Cloudflare

I’ve discovered a way to protect my WordPress site from brute force attacks thanks to these two guides I found:

DDOS PROTECTION WITH CLOUDFLARE AND FAIL2BAN
WordPress Login Security with Fail2Ban

The best part is these guides do not require installing yet another plugin to WordPress. If your WordPress site does not sit behind Cloudflare, you can just follow the second guide; if you are using Cloudflare however, that guide won’t do anything for you because iptables will only ever see IP addresses from Cloudflare, not your attacker. To make it work with Cloudflare, we need the action filter created in the first guide.

The following steps are a combination of the two guides above and are what I used to configure fail2ban to ban IPs at Cloudflare after failed logins on WordPress; if you haven’t done so already you need to install mod_cloudflare for Apache so it can see the IPs of visitors instead of Cloudflare’s. It’s also a good idea to configure iptables to only allow HTTP/HTTPS traffic from Cloudflare so they can’t bypass it and browse your site directly; the list of Cloudflare IPs is available here as a text file.

First we need to make WordPress log failed authentication attempts; edit the functions.php of your site’s theme and add the following:

Next we need edit /etc/rsyslog.conf and add the following lines under the “Rules” section:

Since we’ve added a new log, we should configure logrotate; add the following to the bottom of /etc/logrotate.conf:

Restart rsyslog with:

Next we create the filter for fail2ban to use; create a new file /etc/fail2ban/filter.d/wordpress.conf with the following contents:

Now we define the action for fail2ban to use; create a new file /etc/fail2ban/action.d/cloudflare.conf with the contents below. Remember to insert your Cloudflare email address and API Key at the bottom.

Now that we have the filter and action created for fail2ban we can add the jail to /etc/fail2ban/jail.local:

Restart fail2ban and it will watch /var/log/wp_f2b.log for failed WordPress authentication and use the Cloudflare API to ban/unban IPs.

How to center NextGEN Gallery Thumbnails

Thanks to this blog post I finally found the solution for centering the thumbnails in NextGEN Gallery.

In your NextGEN Gallery Settings go to “Other Settings” > “Styles” > “Enable Custom CSS” and paste the following code:

Now your NextGen Gallery thumbnail will be centered instead of left aligned, as in this post.