Secure WordPress Login Area with Cloudflare IP Geolocation


Hi Sir,

I am trying to secure WordPress login with Cloudflare IP geolocation.

I read your below facebook note:

<FilesMatch "wp-login.php">
    RewriteEngine on
    RewriteCond %{HTTP:CF-IPCountry} !^(XX)$
    RewriteRule ^(.*)$ – [R=403,L]

I tried your given code. I replaced XX with country code. But it’s not working. I also set IP Geolocation setting “ON” in cloudflare.

Did anyone try this code? Also, i need help for how to check Cloudflare returns country code?

Add X-Robots-Tag: noindex, nofollow to Affiliate links

Thanks for checking out my tutorial.
May I know, which Country code you are trying?


“IN” - country code for India.


I am also using with Country code IN, it’s working fine for me.


Not working means? :confused: Are you getting any specific error?

Please follow below steps

  1. Go to DNS page
  2. The site for which you need country restriction feature, its A record status must be in the Orange color that means reverse proxy + DNS should be turned on.

For example, A is my WP site, there CF is turned on.

Hence, I am able to restrict below page to India.

Note: With Grey Mode (If Cloudflare CDN is disable), Geolocation feature will not work.


Hi Sir,

I also check Cloudflare DNS setting, that is turned on. Showing orange color.

Code not working means, from other “US” country wp-login.php page opens normally without any block.

I have also tried to open your site login URL from US country. Your site login page URL opens normally from US country.

Please see attached screenshot.

I have a question for debugging Cloudflare country code is,
How to check Cloudflare returns country code in chrome browser?
Is Cloudflare returns country code in page response header?



Any Update for above query?



Sorry for late response.

Here’s my response to your all queries.

I have been able to successfully implement geo-blocking feature for many WordPress sites. Till this date in my knowledge, it’s work flawlessly.

I am feeling bit surprised, why it’s not working. Can you please check below things

  1. Login to Cloudflare > Select domain
  2. Go to Network menu
  3. Little scroll down, you will see an option called IP Geolocation, it must be turned on.
  4. If you have created page rule for /wp-login.php path, the IP Geo Location header shouldn’t be turned off. Better if in last step you already have enabled, then you don’t need to keep it again.
  5. If you follow above procedure correctly, chances are it should work fine.
  6. It is also possible that if webserver Apache version is outdated, it may not work.

In that case, I would recommend changing .htaccess rule.

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/wp-login(.*)$
    RewriteCond %{HTTP:CF-IPCountry} !^(US)$
    RewriteRule ^(.*)$ – [R=404,L]

Or… You may use this plugin


I stopped using it.


Any specific reason why you stopped using it?


To fullfill a dream. :wink: :joy:


Gotcha :wink:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^/wp-login(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/login(.*)$ 
RewriteCond %{HTTP:CF-IPCountry} !^(IN)$
RewriteRule ^(.*)$ – [R=403,L]

It’s working. Thanks.


Are you using custom login URL at WordPress?


Yes. Is there any problem while use custom login url?


No issues. It’s completely okay. :slight_smile:


Hi Sir,

I try to use this code for block some countries for access whole site.

RewriteCond %{REQUEST_URI}
RewriteCond %{HTTP:CF-IPCountry} ^(BR|UK|NL)$
RewriteRule ^(.*)$ – [R=403,L]

While i use this code, site stop working because of syntax error in “REQUEST_URI”.

Can you please tell me, What is the correct syntax to check “RewriteCond %{REQUEST_URI}” for whole site requests?

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/wp-admin(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/phpmyadmin(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-login(.*)$ 
RewriteCond %{REQUEST_URI} !^/wp-admin/admin-ajax.php(.*)$ 
RewriteCond %{REQUEST_URI} !^/wp-admin/images(.*)$ 
RewriteCond %{HTTP:CF-IPCountry} !^(IN)$
RewriteRule .* - [R=404,L,NC]

An example. This works like this.

  1. For requested path: /wp-admin, phpmyadmin, or wp-login
  2. Excluding for /wp-admin/admin-ajax.php and /wp-admin/images path/
  3. Excluding for IN country
  4. Return HTTP status code 404.


As per your suggested code that for admin & login area requests other than India country will pass to 404 not found error, Its work perfectly. That I already implemented.

As your code uses “Not In” condition !^(IN), But now I want to use equal condition for the block other countries.
RewriteCond %{HTTP:CF-IPCountry} ^(BR|UK|NL)$
RewriteRule ^(.*)$ – [R=403,L]

I want to pass all websites requests to 403 page to that number of countries. Not only admin & login page need to block the whole site. The problem only in the first line of code to check all site requests.

Can you please suggest, What is the syntax for checking all website requests using RewriteCond %{REQUEST_URI}?

# Block access to whole website for BR, UK and NL countries
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:CF-IPCountry} ^(BR|UK|NL)$
RewriteRule .* - [R=404,L,NC]