Cloudflare security levels
Cloudflare has a number of features that allow it to fend off attacks against the plague of bot nets crawling the internet. These bots look for security vulnerabilities or attempt to deny service by simply overloading web hosts and servers, either knocking them off the internet completely or degrading their performance enough to slow them down and make them essentially unusable.
Brute force password hacking attempts are one such common attack and Cloudflare provide differing security levels in it’s options for your website. Those security levels are essentially off, low, medium, high, and the ‘i’m under attack!’ mode. In a recent attack observation I found that on free plans this ‘i’m under attack!’ mode is not engaged automatically (at least in one case) and requires someone to manually enable it for this to be effective.
Page rules for the WordPress admin portal login pages
The ‘i’m under attack!’ mode is highly effective and you can leave it on permanently across the board to protect an entire website. However, this is going to delay visitor entry and will turn away a proportion of visitors that are simply not prepared to wait that five seconds for all security checks to be completed. One train of thought would be to provide this protection only on the WordPress admin login pages. These pages are a common target and could do with an extra layer of protection. Cloudflare has the answer and it’s called Page Rules. Cloudflare page rules let you manipulate incoming traffic to do a number of things such as enforce SSL, modify caching, or as we are looking at in this case change the security level.