Secure WordPress Login Area with Cloudflare IP Geolocation


No, this code not working. Its simply allow accessing from another UK country. I think without REQUEST_URI line of code it not check all web requests.

Is there any syntax that uses REQUEST_URI to check all requests like, we check “wp-admin” page request using below line of code,

RewriteCond %{REQUEST_URI} ^/wp-admin(.*)$


Sorry, I just noticed one thing. For UK, the code UK is not valid.

In ISO 3166-1 Alpha 2 format, it should GB.


# Block access to whole website for BR, United Kingdom and NL countries
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:CF-IPCountry} ^(BR|GB|NL)$
RewriteRule .* - [R=404,L,NC]

You may verify Country code here


I tried to change the country code to “GB” and check again, But still it’s not working.:thinking:


I got bit confused. :frowning:
Can you please revise your question, what exactly you are trying to achieve?


I want to Block access to the whole website for BR, United Kingdom, and NL countries.

As per your given below code, that I tried but it’s not working. From BR, United Kingdom, and NL countries return 200 status code.

RewriteCond %{HTTP:CF-IPCountry} ^(BR|GB|NL)$
RewriteRule .* - [R=404,L,NC]


If it is returning 200, means country code is wrong.

Can you please write all full country name which you want to block?

I will try to block once at my end… If it works, I will let you know.


As the country code is right. It returns 200 status code means, the page opens normally without any 404 error.

Below are the country names and its codes.

Brazil - BR
Netherlands - NL
United Kingdom - GB
Germany - DE


This is how I impemented the country block rule.

RewriteCond %{HTTP:CF-IPCountry} ^(BR|GB|NL|DE)$
RewriteRule .* - [R=404,L,NC]

Result, it’s working 100% correctly.
When GTmetrix is trying to fetch web page from GB, it returns HTTP status 404.


Yes, This code is working correctly.

But, I found a problem of htaccess file with W3TC cache plugin, that W3TC caches htaccess file and that’s why htaccess above added code not used. So i need to clear all W3TC caches using “empty all caches” button. Then after above code works for shows 404 page to other countries.

Still for other blocked countries, some times its shows 404 error page and some times shows 200 response for same page. I think this problem is because of W3TC cache plugin.

Is anyone face this issue?

Why W3TC plugin caches htaccess file?

Is there any setting available to stop caching htaccess file?


I doubt if W3TC is a problem, maybe some other issue as well. If I can see once URL possibly I maybe able to tell little precisely.


@GulshanKumar how about securing it with htpasswd and htaccess?


Yes, it’s good to have double password. But if implemented correctly.

Special note: If you are using WooCommerce or some theme/plugin that uses WordPress Heartbeat API with /wp-admin/admin-ajax.php to run Ajax calls from the web-browser, make sure to whitelist it for the smooth experience.


Updated version: Now, it’s possible with Cloudflare Managed Firewall Rules