Configure Cloudflare Zero Trust for Web Applications

Attackers often target the login page of a web application. Security mechanisms such as Two-Factor Authentication (2FA), Rate Limitation, and Web Application Firewall (WAF) are adopted to mitigate the security risks. Cloudflare Zero Trust (a.k.a. Cloudflare Access) is a security model which offers the ability to verify user identity for accessing web applications. You can configure policies to enhance website security by limiting login pages to be accessible only by Cloudflare authenticated users. This tutorial will cover the steps to configure Cloudflare Zero Trust for a WordPress installation.

1. Apply for Cloudflare for Teams

To begin with, navigate to Cloudflare Teams page and choose a team name.

Cloudflare for Teams Welcome Page
Cloudflare for Teams Welcome Page

Create a sub-domain for your account. Note that the domain ends with “cloudflareaccess.com”.

Cloudflare for Teams Unique Domain
Cloudflare for Teams Unique Domain

A free tier plan is sufficient for testing purposes.

Cloudflare for Teams Free Plan
Cloudflare for Teams Free Plan

2. Create Cloudflare Access Applications

Choose “Applications” under the “Access” section on the sidebar.

Cloudflare Access - Application Sidebar
Cloudflare Access – Application Sidebar

Choose “Add an application”.

Add an application
Add an application
Add an application - Select self-hosted
Add an application – Select self-hosted

After that, you can enter the application name for your reference and specify the application’s domain. As an example, you can specify the page “wp-login.php” to be protected by Cloudflare Access by specifying the application domain to be yourdomainname.com/wp-login.php

Add an application - Input name and domain
Add an application – Input name and domain

3. Create Cloudflare Access Application Policies

Next, specify policies for the application. You can select what actors are allowed to reach the application, and under what conditions.

For example, you can specify to only allow users with certain email addresses to visit your page. Other users cannot access your web application’s login page; thus, the Zero Trust security model can be achieved.

Cloudflare Zero Trust Edit Policy
Cloudflare Zero Trust Edit Policy

After creating the application and policies, you can view the results on Cloudflare Access page.

Cloudflare Access Applications Overview
Cloudflare Access Applications Overview
Cloudflare Access Applications Policies Overview
Cloudflare Access Applications Policies Overview

4. Verify Cloudflare Zero Trust Authentication Mechanism

By default, Cloudflare Zero Trust adopts One-time PIN (OTP) as an authentication mechanism. You can verify this by navigating to “Settings” -> “Authentication”.

Cloudflare Zero Trust One Time Pin
Cloudflare Zero Trust One-time PIN

5. Evaluate the Application Protected by Cloudflare Zero Trust

Navigate to the webpage protected by Cloudflare Zero Trust. Visitors will be redirected to the Cloudflare Access page for identity verification.

Cloudflare Access OTP Page
Cloudflare Access OTP Page

Users need to input their approved (whitelisted) email addresses and request an OTP code to continue. Note that invalid email addresses will not receive an OTP code and users will not be notified of the reason. This is to prevent spoofing. The secure PIN will also expire in 10 minutes.

Users can use the link to continue or copy and paste the code to the login screen.

Cloudflare Access OTP Email
An Example of Cloudflare Access OTP Email

6. Review Cloudflare Zero Trust Analytics and Access Logs

You can review analytics and access logs directly on the Cloudflare Zero Trust Dashboard. Note that free tier plan is limited to 24 hours of access logs.

Cloudflare Zero Trust Access Analytics
Cloudflare Zero Trust – Access Analytics
Cloudflare Access Failed Logins Log
Cloudflare Access – Failed Logins
Cloudflare Access Audit Logs
Cloudflare Access – Complete Access Logs

Conclusion

Cloudflare Zero Trust enhances web application security by enforcing strengthened user authentication mechanism. It is a useful tool to reduce the attack surface of an application because only pre-approved users can visit sensitive pages of your website. Administrators and auditors can easily review the details of every access attempt and action taken. It can also work alongside application-level security solutions for more comprehensive protection.