Harden WordPress Security with Vultr and Cloudflare

Updated on July 22, 2023
Harden WordPress Security with Vultr and Cloudflare header image


WordPress is a popular open-source content management system (CMS) that powers millions of websites on the Internet. While it offers a user-friendly management interface and powerful tools to build web applications, it’s a common target for hackers, bots, and malicious users. Millions of attacks targeting WordPress websites are registered every month on the Internet.

As a standard, major WordPress updates are rolled out every 4 to 5 months as a basic method to fix all potential security issues. To harden WordPress security, you must take an extra step as a site administrator to perform scans and improve your site security to protect it from any potential attacks.

In this article, you will harden WordPress Security with the Vultr Firewall and Cloudflare to protect your site from most types of attacks. Popularly, Denial of Service (DOS), password dictionary cracking, script injections, and SSH brute force attacks target WordPress sites.

Harden WordPress Security using the Vultr Firewall and Cloudflare


Before you begin:

  • Deploy a WordPress Server instance using the Vultr Marketplace Application.

    If you have an existing WordPress server, skip this step, and prepare your Cloudflare account.

  • Create or log in to your Cloudflare account.
  • Migrate your domain nameservers to Cloudflare.

    Cloudflare requires your domain linked to your account before protecting all domain DNS records. To migrate your domain nameservers, log in to your domain provider, and change the nameservers to the Cloudflare records listed in your account. Set up your domain A record to point to your Vultr WordPress server.

Set up Cloudflare Rules

Cloudflare offers multiple layers of protection for proxied DNS entries on your account. Through proxied entries, Cloudflare hides your WordPress server IP Address and returns dedicated IP Addresses to the client keeping your server identity safe.

Additionally, SSL/TLS encryption, DDOS, Known Bots, CAPTCHA challenge (Turnstile), and Web Application Firewall (WAF) security rules can be added to your account to grant Cloudflare filtering privileges when forwarding incoming traffic for your WordPress site.

In this section, set up Cloudflare rules to harden your WordPress security by increasing the SSL certificate encryption mode, limit known bot activity, and enable human verification on your site’s comment sections as described below.

Enable Proxying to hide the WordPress Server IP

A domain A record points to the WordPress server IP, by proxying it, all requests are served through the dedicated Cloudflare IP Addresses. Enable proxying to hide the server IP as described in the steps below.

  1. Access your Cloudflare account.

  2. Navigate to Websites.

  3. Click your WordPress site domain name to launch its configuration page.

  4. On the left navigation menu, click the DNS dropdown.

  5. On the Records page, find the DNS management section.

  6. Find the domain record with the Type set to A, and click Edit under Actions.

  7. Toggle the Proxy Status button to ON, and verify that it changes to Proxied.

  8. Click Save to apply changes and enable proxying on your domain A record.

    Cloudflare DNS Proxying Configuration

  9. To test that your real WordPress server IP Address is hidden from the site visitors, open a terminal session and ping your domain name as below.

     $ ping example.com

    Cloudflare IP replies are returned similar to the output below:

     $ ping example.com -c 4
     PING example.com ( 56 data bytes
     64 bytes from icmp_seq=0 ttl=53 time=94.955 ms
     64 bytes from icmp_seq=1 ttl=53 time=146.373 ms
     64 bytes from icmp_seq=2 ttl=53 time=90.532 ms
     64 bytes from icmp_seq=3 ttl=53 time=158.229 ms
     --- example.com ping statistics ---

    Before proxying, pings to your domain name return the actual server IP.

     $ ping example.com -c 4
     PING example.com ( 56 data bytes
     64 bytes from icmp_seq=0 ttl=53 time=94.955 ms
     64 bytes from icmp_seq=1 ttl=53 time=146.373 ms
     64 bytes from icmp_seq=2 ttl=53 time=90.532 ms
     64 bytes from icmp_seq=3 ttl=53 time=158.229 ms
     --- example.com ping statistics ---

Set the SSL/TLS Encryption mode

Cloudflare encrypts traffic between the visitor’s browser and the WordPress server depending on your SSL encryption mode setting. The available options include Flexible, Full, and `Full (strict), and require an SSL certificate available on your server.

When enabled, the Cloudflare SSL certificate is returned to your website visitors, and the actual server certificate is used to encrypt the Cloudflare edge connection. In this section, set the maximum SSL encryption mode as described in the following steps.

  1. On the domain management page, click the SSL/TLS dropdown on the left navigation menu.

  2. Click Full (Strict) to enable end-to-end encryption between your WordPress server, Cloudflare, and the visitor’s browser.

    Set Cloudflare SSL encryption mode

    Make sure your WordPress server has a valid Let’s Encrypt SSL certificate for the encryption mode to work well. If the server certificate is expired, Cloudflare will return an SSL misconfiguration error to your site visitors.

  3. Scroll to the SSL/TLS Recommender section, and toggle the enable button to ON. You will receive Cloudflare SSL certificate recommendations in case your SSL settings require improvements.

    To further encrypt your connection, you can replace Let’s Encrypt Certificates on your server with origin SSL certificates by protecting your server using Cloudflare and the Vultr Firewall.

Configure Web Application Firewall (WAF) rules

Cloudflare offers a free basic Web Application Firewall (WAF), you can set WAF rules to execute conditions when a match is detected. In this section, block potential cross-site scripting (XSS) requests in the following steps.

  1. On the left navigation menu, click the Security dropdown.

  2. Click WAF from the list of options.

  3. In the Custom rules section, click Create rule to setup a new condition.

  4. Enter a name for your new rule in the Rule name field.

  5. Click the Field dropdown, and select your desired function. For this article, select URI Full.

  6. Keep the Operator value set to equals.

  7. Enter https://example.com/wp-admin/*script* in the Value field.

    Configure Cloudflare WAF rules

    The above value matches any user request that contains a script tag in a request. For example, https://example.com/wp-admin/admin-ajax.php?action=<script>alert('XSS Attack!'); matches the value, and your Cloudflare action is called.

  8. Scroll to the Choose Action dropdown, and select your preferred action. For this article, choose Block.

  9. Click Deploy to apply the new WAF rule.

To fine-tune your security, add more WAF rules depending on potential attacks you can simulate on the WordPress website. For example, you can block some countries from accessing your WordPress site by choosing Country in the Incoming requests match…. section.

DDOS and extra Cloudflare security

Distributed Denial of Service (DDOS) attacks are mostly aimed at breaking your WordPress server, and forcing users to receive errors when retrieving content on your site. To protect your site from any potential attacks, set up DDOS triggers as below.

  1. On the Settings dropdown, click DDOS.

  2. In the HTTP DDoS attack protection section, click Deploy a DDoS override.

  3. Enter a name in the Overide name section, scroll and keep the DDoS L7 ruleset configuration values at default.

  4. Scroll to the Rule configuration section, and click the Browse Rules button.

  5. Click the checkbox on every rule you wish to activate, when ready, click the set action button, and select Block.

  6. Scroll down and click Next to save your rules.

    DDOS Overide Rules

  7. Verify that the overrides are added to your Rule configuration, then click Save to save your DDoS configuration.

  8. Verify that your new DDoS

  9. To fine-tune other Cloudflare security options, click Settings from the security drop-down list.

  10. Set the Security mode, and Challenge Passage options to your desired setting. Scroll, and keep the Browser Integrity Check, Privacy Pass Support buttons activated to save changes.

Enable CAPTCHA (Cloudflare Turnstile)

Turnstile is the Cloudflare implementation of CAPTCHA that presents users with either visible or invisible challenges when visiting your WordPress site. Most importantly, enable Turnstile CAPTCHA challenges in your WordPress comments section to block bots from auto-commenting on your pages and posts as described below.

  1. Access your main Cloudflare account dashboard.

  2. Find and click Turnstile on the left navigation menu.

  3. Click the Add site button to set up a new site.

  4. Enter your WordPress website name in the Site name field.

  5. Click the Domain drop-down, and select your target domain name to implement challenges on.

    Create Cloudflare Turnstile Widget

  6. In the Widget mode section, select Managed to show non-image or text challenges when the visitor’s threat score is high.

  7. Click Create to create your Turnstile widget.

  8. Copy the generated Site Key, and Secret Key (You will need them when integrating your WordPress comments).

Activate Turnstile Challenges on your WordPress comments and Login Form

You can activate Cloudflare Turnstile challenges on your WordPress comments, login form, password reset, and any other forms in two ways, through a plugin, or by editing theme files. In this section, activate your Cloudflare challenges using the Simple Cloudflare Turnstile WordPress plugin as described below.

  1. Log in to your WordPress dashboard using an administrator account.

  2. Navigate to Plugins, and click Add New.

  3. In the search plugins field, enter the keyword Simple Cloudflare Turnstile.

  4. In the search results, find the plugin, and click Install Now.

    Install Simple Cloudflare Turnstile

  5. Click Activate to enable the plugin, and auto-load the setup page.

  6. In the API Key Settings section, paste the Cloudflare Site Key, and Secret Key you copied earlier.

  7. Scroll, and set the widget theme, appearance mode, and a custom error message to display when a challenge is required.

    Setup Simple Cloudflare Turnstile

  8. Scroll to the Enable Turnstile on your Forms section, and check all forms you want to activate challenges on.

  9. Click Save Changes to apply your settings.

    Test Turnstile Challenges on WordPress

  10. In the Almost done…. pop-up, click Test Response to test that your Cloudflare Turnstile challenges work, and validate your account keys.

  11. When the connection is successful, you will receive the Success! Turnstile is working correctly with your API keys. alert.

Configure the Vultr Firewall

Cloudflare is a Content Delivery Network (CDN) and DDoS mitigation service that operates between your WordPress server, the Cloudflare Edge, and you’re visitor’s web browser. This means, there is a backdoor for potential attacks to your WordPress server from the server side. The Vultr Firewall is a network-mode firewall that operates on top of your Vultr server and filters any incoming requests based on IP addresses, ports, and protocols.

To harden your WordPress server security, configure the Vultr Firewall to limit server access to Cloudflare and any administrative users that manage the server as described in the following steps.

  1. Log in to the Vultr customer portal.

  2. On the Products page, navigate to Network.

  3. Click Firewall on the left navigation menu.

  4. Click Add Firewall Group to set up a new firewall resource.

  5. Enter a description for your new firewall group, and click Add Firewall Group to create the resource.

    Set up a Vultr Firewall Group

  6. Navigate to the Inbound IPV4 Rules section on the Manage Firewall Group page.

  7. Keep SSH selected as the protocol, click the Source dropdown and select MY IP from the list.

    The above setting blocks all SSH connections to your server except for connection requests from your IP Address.

  8. Click the + action button to add the new firewall rule.

  9. When the SSH rule is added, click the Protocol dropdown, and select HTTP from the list.

  10. Click the Source dropdown, select Cloudflare from the list, and click the + action button to add the new firewall rule.

    The above rule blocks all incoming HTTP requests to your server except for those from Cloudflare which proxies the requests to your site visitors.

  11. When added, click the Protocol dropdown, select HTTPS from the list, and click the Source dropdown to select Cloudflare.

  12. Click the + action button to add the new HTTPS rule to your Firewall group.

  13. To add a custom port such as the cPanel port 2083, click the Protocol dropdown and select TCP, In the Port field, enter the port number, and set the Source to your IP.

  14. Click the + action bar to save the firewall rule.

  15. Verify that a drop any 0-65535 rule is added to your Firewall group.

    A Vultr Firewall Group with Cloudflare Settings

    The drop any rule will block any other ports on your server. Verify that all essential ports are allowed through the firewall, and every administrative user is allowed to access the server.

  16. Click Linked Instances on the left navigation menu.

  17. Click the Server dropdown, and select your WordPress server from the list.

  18. Click the + add linked instance button to add your server to the firewall group.

    Link server to Vultr Firewall

  19. Verify that your server is added successfully, and test that you have SSH access to the server, and any other allowed ports for your IP Address.

Set up the WordPress Firewall

The Vultr Firewall, and Cloudflare all filter traffic to your WordPress server, but some security threats, can bypass both checkpoint filters and compromise your WordPress site. To harden security at all points, install a WordPress firewall to filter some requests made to your server, and implement 2-Factor Authentication for all WordPress administrator accounts.

In this section, install the WordFence Firewall plugin for WordPress and configure it to block multiple login failures for 2 months, and enable 2FA for the WordPress users as described in the steps below.

  1. Log in to your WordPress dashboard using an administrator account.

  2. Navigate to the Plugins page and click Add New.

  3. In the Search Plugins field, enter the keyword Wordfence.

    Install the Wordfence plugin

  4. In the search results, find the WordFence Security plugin, and click Install Now.

  5. Click Activate to enable the plugin.

  6. Click Get Your WordFence License to get a free license, and complete the plugin installation.

  7. When successful, go to the WordFence dashboard to start configuring the firewall.

    Wordfence Dashboard

  8. Click Login Security from the plugin dropdown menu.

  9. In the Two-Factor Authentication section, scan the unique QR code generated for your WordPress user using a compatible mobile application such as Authenticator.

    Enable 2FA

  10. Download the generated recovery codes to a safe location on your computer.

  11. Enter the 2FA code generated by your mobile application.

  12. Click the Activate button to enable 2-Factor Authentication for your WordPress user account.

  13. To enforce 2FA for every WordPress user, navigate to Settings, and enable 2FA Roles on target user categories by changing Disabled to Required.

  14. Navigate to Firewall, and click All Firewall Options to access the configuration page.

    Brute Force protection

  15. Click Brute Force Protection, and change the Lock out after how many login failures value to 3, change the Lock out after how many forgot password attempts value to 1, change the Amount of time a user is locked out to 2 months.

  16. Click Save Changes to apply your new changes.

You can finetune your Wordfence firewall configuration with rate limiting and advanced options to your desired needs. To verify that your settings work, test your WordPress security.

Test Your WordPress Security

To verify that your Vultr Firewall, Cloudflare, and WordPress firewall work correctly. Use a different web browser, and different IP Address (separate Internet connection) to test your WordPress security as described in this section.

  1. Enter the following URL, and verify that your request is blocked by Cloudflare. Replace example with your actual domain name.

     https://example.com/wp-admin/admin-ajax.php?action=<script>alert(‘The hacker is here, I need access!');

    If your request is blocked, your Cloudflare Web Application Firewall (WAF) is working correctly.

  2. Visit your WordPress server IP Address using HTTP. Replace with your actual server IP Address.

    If your request is not processed, then, the Vultr Firewall has blocked your request because it's not from Cloudflare. All Cloudflare requests come through your WordPress domain name and not the direct Server IP Address.

  3. In a different web browser, access your WordPress login form.


    Enter the following logins 4 times:

     Username: admin
     Password: hacker

    You will receive a WordFence lockout screen with a notice that your activity is logged, and your lockout duration to try again is 2 months. To lift the ban, you need to enter an administrator’s Email Address to validate if the lock-out is a mistake.

  4. Visit any of your WordPress posts or pages enabled with comments.


    Scroll to the comment section, and try writing a comment. Verify that a Cloudflare Widget challenge displays to verify if you are human.

    Cloudflare Challenge

When successful, you can post a comment, when unsuccessful, the widget requires you to verify that you are human. This way, bots are unable to pass any challenge when trying to write or spam comments on your WordPress site.


You have hardened WordPress security with Vultr and Cloudflare, by implementing the steps in this article, your WordPress site is secure from most types of security threats such as bot attacks. Also, filters can block out any bad bots that can attempt to visit your WordPress site making sure every visitor is human.

Next Steps

For more information and WordPress configuration choices, visit the following resources.