Attackers often target the login page of a web application. Security mechanisms such as Two-Factor Authentication (2FA), Rate Limitation, and Web Application Firewall (WAF) are adopted to mitigate the security risks. Cloudflare Zero Trust (a.k.a. Cloudflare Access) is a security model which offers the ability to verify user identity for accessing web applications. You can configure policies to enhance website security by limiting login pages to be accessible only by Cloudflare authenticated users. This tutorial will cover the steps to configure Cloudflare Zero Trust for a WordPress installation.
1. Apply for Cloudflare for Teams
To begin with, navigate to Cloudflare Teams page and choose a team name.
Create a sub-domain for your account. Note that the domain ends with “cloudflareaccess.com”.
A free tier plan is sufficient for testing purposes.
2. Create Cloudflare Access Applications
Choose “Applications” under the “Access” section on the sidebar.
Choose “Add an application”.
After that, you can enter the application name for your reference and specify the application’s domain. As an example, you can specify the page “wp-login.php” to be protected by Cloudflare Access by specifying the application domain to be yourdomainname.com/wp-login.php
3. Create Cloudflare Access Application Policies
Next, specify policies for the application. You can select what actors are allowed to reach the application, and under what conditions.
For example, you can specify to only allow users with certain email addresses to visit your page. Other users cannot access your web application’s login page; thus, the Zero Trust security model can be achieved.
After creating the application and policies, you can view the results on Cloudflare Access page.
4. Verify Cloudflare Zero Trust Authentication Mechanism
By default, Cloudflare Zero Trust adopts One-time PIN (OTP) as an authentication mechanism. You can verify this by navigating to “Settings” -> “Authentication”.
5. Evaluate the Application Protected by Cloudflare Zero Trust
Navigate to the webpage protected by Cloudflare Zero Trust. Visitors will be redirected to the Cloudflare Access page for identity verification.
Users need to input their approved (whitelisted) email addresses and request an OTP code to continue. Note that invalid email addresses will not receive an OTP code and users will not be notified of the reason. This is to prevent spoofing. The secure PIN will also expire in 10 minutes.
Users can use the link to continue or copy and paste the code to the login screen.
6. Review Cloudflare Zero Trust Analytics and Access Logs
You can review analytics and access logs directly on the Cloudflare Zero Trust Dashboard. Note that free tier plan is limited to 24 hours of access logs.
Conclusion
Cloudflare Zero Trust enhances web application security by enforcing strengthened user authentication mechanism. It is a useful tool to reduce the attack surface of an application because only pre-approved users can visit sensitive pages of your website. Administrators and auditors can easily review the details of every access attempt and action taken. It can also work alongside application-level security solutions for more comprehensive protection.