Cybersecurity

Increase Website Security: Protect Admin Routes Using Cloudflare Access

Most websites and web applications have an admin route - a place where you manage content, users, and settings. Common examples include:

  • /wp-admin for WordPress
  • /administrator for Joomla
  • /admin for custom apps

Unfortunately, these admin pages are frequent targets for automated attacks. Hackers and bots constantly scan the internet for exposed admin routes to attempt brute force attacks, credential stuffing.

Even if your admin panel requires a username and password, this alone is not enough - your server is still exposed to unwanted traffic.

One simple and effective way to increase the security of your admin routes is by using Cloudflare Access - a Zero Trust product that blocks unauthorized users before they even reach your server.

In this guide, you’ll learn how to use Cloudflare Access to secure your admin routes for any application — whether you run WordPress, Ghost CMS, or a custom app.

Why You Should Protect Admin Routes

  • Admin panels are high-value targets for attackers.
  • Public admin routes can be scanned by bots and indexed by services like Shodan.
  • Brute force and DDoS attacks can waste server resources and cause downtime.
  • Adding identity-based protection (Cloudflare Access) provides a stronger defense.

What Is Cloudflare Access?

Cloudflare Access is part of Cloudflare’s Zero Trust platform. It allows you to protect any URL or route by enforcing identity-based authentication at the Cloudflare edge.

Benefits include:

  • Only authorized users can access protected routes.
  • Traffic is filtered before it reaches your server — reducing attack surface.
  • No need to modify your application code.
  • Supports multiple identity providers (Google, GitHub, SSO, etc.).
  • Easy to configure via Cloudflare dashboard.

How to Configure Cloudflare Access to Protect Admin Routes

Prerequisites

  • A Cloudflare account
  • Your website must be using Cloudflare DNS and proxying traffic through Cloudflare (orange cloud enabled).
  • Cloudflare Zero Trust plan (Free tier works for many use cases).

Step 1: Set Up Cloudflare Access

  1. Go to Cloudflare Zero Trust Dashboard → Access → Applications.
  2. Click Add an application.
  3. Select Self-hosted.
  4. Give your application a name (e.g., "Ghost Admin Protection").
  5. Define your protected route, for example:
    • https://yourdomain.com/ghost/*
    • https://yourdomain.com/wp-admin/*
    • https://yourdomain.com/admin/*

Step 2: Create an Access Policy

  1. Under Policies, click Add a policy.
  2. Create a rule that allows only:
    • Emails from your domain (e.g., @yourcompany.com)
    • Or specific emails
    • Optionally require Multi-Factor Authentication (MFA)
  3. Save the policy.

Step 3: Test the Configuration

  • Log out of Cloudflare or use an incognito window.
  • Try to access your admin route.
  • You should be prompted to authenticate via Cloudflare Access.
  • Unauthorized users will not be able to access the page.

Example: Protecting Ghost CMS Admin Route

  • Define route: https://yourdomain.com/ghost/*
  • Only allow your personal email (or team emails).
  • Result: /ghost will be fully protected — bots and unauthorized users will be blocked at Cloudflare.

Example: Protecting WordPress wp-admin Route

  • Define route: https://yourdomain.com/wp-admin/*
  • Only allow authorized emails.
  • Prevents bots from brute-forcing WordPress login or accessing wp-admin pages.

Conclusion

Securing admin routes is an essential step to increase your website’s security and protect sensitive areas from attackers. With Cloudflare Access, you can easily lock down your admin panels — adding identity-based access control at the Cloudflare edge.

This not only prevents unauthorized access but also reduces the attack surface of your server — improving performance and resilience.

If you run WordPressGhost CMS, or any other web application, enabling Cloudflare Access is a highly recommended security best practice.

Final Tips

  • Add MFA for even stronger security.
  • Monitor Access logs to track who is accessing your admin routes.
  • Combine with other Cloudflare security features (WAF, rate limiting) for complete protection.

That’s it — a simple, effective way to increase website security using Cloudflare Access.
Try it today and lock down your admin routes!

I have an API problem after I setup Cloudflare Access and I wrote how to fix it here

How to Fix GhostCMS API Not Working After Enabling Cloudflare Access on Ghost Admin Path
A week ago, I released an article about Increase Website Security: Protect Admin Routes Using Cloudflare Access Increase Website Security: Protect Admin Routes Using Cloudflare AccessMost websites and web applications have an admin route - a place where you manage content, users, and settings. Common examples include: * /wp-admin for WordPress
Kidkrub : Personal Blog of a Precious Little DeveloperKidkrub

Read next

Password Manager แต่ละเจ้าต่างกันยังไง

Google Password Manager ใช้งานได้บน: Android, Chrome browser ข้อดี * มาพร้อมกับบัญชีของ Google เลย * สามารถซิงค์ระหว่าง Android กับ Google Chrome ได้ * ใช้ง่ายและฟรี ข้อเสีย * ไม่เหมาะกับคนที่ใช้อุปกรณ์ของ Apple หรือไม่ได้ใช้ Chrome เป็นเบราว์เซอร์
Kidkrub

Password Manager เพราะชีวิตไม่ได้มีไว้จำ password

ทุกวันนี้ ชีวิตเราเลี่ยงไม่ได้เลย ที่จะต้องสร้างพาสเวิร์ดมากมายในการเข้าใช้ บริการต่าง ๆ ไม่ว่าจะเป็น E-mail (Gmail, Outlook, etc.) โซเชียลมีเดีย (Facebook, Instagram, X, etc.) สตรีมมิ่ง (Nextlix, Prime, etc.) หรืออื่น ๆ ซึ่ง เดี๋ยวนี
Kidkrub