January 26th, 2026

How to Lock Down Your WordPress Login to Ireland Only Using Cloudflare

Learn how to Lock Down Your WordPress Login using Cloudflare firewall rules to block foreign login attempts and protect your site from brute-force attacks.Brute-force login attacks are one of the most common ways WordPress sites get hacked. Even if you hide your login URL or use strong passwords, bots from around the world are constantly trying to access /wp-login.php and /wp-admin.

One of the most effective security steps you can take is to block WordPress login access by country — allowing only Ireland to reach your login page, and blocking the rest of the world automatically.

In this guide, I’ll show you how to do exactly that using Cloudflare Custom Firewall Rules.

Why This Works So Well

Most WordPress attacks come from automated bots based outside Ireland. By blocking login access at Cloudflare level:

Bots never reach WordPress
Your server uses fewer resources
Brute-force attacks are almost completely eliminated

If you (and your team) only log in from Ireland, this is one of the strongest protections you can add.

What You Need

Before you begin:

Your website must be using Cloudflare
You should normally log in from Ireland
You must have access to the Cloudflare dashboard

Step 1 — Create a New Custom Firewall Rule

Log into Cloudflare
Select your domain
Go to:

Security → WAF → Custom Rules

Click Create rule

Give the rule a name, for example:

Allow Ireland Only – WordPress Login

Step 2 — Change the Condition (Very Important)

Click Edit expression in the rule builder.

Delete anything that’s there and paste this exactly:

(http.request.uri.path contains "/wp-login.php" 
 or http.request.uri.path contains "/wp-admin")
and not ip.geoip.country in {"IE"}

What This Rule Does

This rule means:

If the request is for /wp-login.php or /wp-admin
And the visitor is not from Ireland
Cloudflare will block the request immediately

So:

Visitors in Ireland can access the login page normally
Visitors outside Ireland are completely blocked

Bots from the Netherlands, Poland, Germany and other countries will never reach your WordPress login page again.

Step 3 — Choose the Action

Under Then take action…

Select:

Block

Click Deploy to activate the rule.

Step 4 — Test Before Logging Out

Before you log out of WordPress:

Open a private or incognito browser window
Visit:

yourwebsite.ie/wp-login.php

Make sure the login page loads normally

If it works, the rule is active and working correctly.

Optional: Whitelist Your Own IP Address

If you ever use mobile data, travel abroad, or connect through a VPN, you can avoid locking yourself out by adding a second rule above this one.

Create a new rule:

Condition:

ip.src in {YOUR.PUBLIC.IP}

Action:

Allow

This ensures you always have access to your WordPress admin area.

Final Thoughts

This single Cloudflare rule gives you:

Country-level login protection
Near-zero brute-force attacks
Reduced load on your server
Much stronger security than hiding the login URL alone

When combined with two-factor authentication, disabled XML-RPC, and strong passwords, this provides enterprise-level WordPress login protection.

If you manage multiple WordPress sites, you can also apply this rule at account level in Cloudflare so it protects all your domains automatically.

If you’d like help setting this up safely on your site or across multiple client sites, feel free to get in touch.