Cloudflare Logo

Use CloudFlare to Secure WordPress by Country Codes

Firstly, check that you have the IP Geolocation option enabled on CloudFlare.

The most efficient way to do this with PHP would be to place the code below in the top of your wp-login.php, but WordPress will overwrite this file when it updates. The next best position is at the top of wp-config.php. If you follow the way WordPress loads, wp-login.php will require wp-load.php first, then after 4 minor lines of code, it will then get wp-config.php.

 * CloudFlare - Connecting IP - for wp-config.php.
if ( !empty( $_SERVER['REMOTE_ADDR'] ) && !empty( $_SERVER['HTTP_CF_CONNECTING_IP'] ) )

 * CloudFlare - Limit WordPress Login to Australia with Whitelist - for wp-config.php.
 * It is best to bypass for IPv6 unfortunately, unreliable country code from CloudFlare at the moment.
$ip_whitelist = array( '::1', '' );

if ( in_array( $_SERVER['PHP_SELF'], array( '/wp-login.php' ) ) && !in_array( $_SERVER['HTTP_CF_IPCOUNTRY'], array( 'AU' ) ) )
    if ( !in_array( $_SERVER['REMOTE_ADDR'], $ip_whitelist ) && !preg_match( '/^([0-9a-f\.\/:]+)$/', $_SERVER['REMOTE_ADDR'] ) )
        header( 'Location: /' );

This is just a different interpretation of my friends script. My version does not allow WordPress to waste CPU before booting the IP from the login page. It also allows for an IP whitelist to bypass this for trusted IP addresses.

It is best to pair this with a plugin like Simple Login Lockdown. There are also some useful .htaccess rules you can use, but I won’t go into that here.

Cloudflare Logo

Use CloudFlare for Dynamic DNS on Windows

The most popular Dynamic DNS provider, DynDNS, is now a paid service. There are other alternatives, each with their own pros and cons. Many DNS updaters, modems and routers support DynDNS. If you own a domain already this solution might interest you.

With a Static IP, you only need to create a permanent A record in DNS management. Most domain registrars do not allow Dynamic DNS. The server I want to access via subdomain has a Dynamic IP. While researching possible solutions, a friend hinted that you can update A records using the CloudFlare API. The domain already uses CloudFlare, so this is great news.

If you have got this far, you already know how to configure your firewall and port forward. You should be able to access the server from the internet using your IP address and port.

Follow the CloudFlare setup to point your nameserver to the correct location. If you intend to use a subdomain, create the A record in DNS management. Make sure CloudFlare is off for this record (optional, might be ok for your purposes).

Cloudflare Diagram

There are various ways to make a CloudFlare DNS updater, but no easy solution for Windows. I recently stumbled on one that works well, CloudFlare DDNS Updater. You can download it here.

You will need your API Key, primary domain name and the email address associated with your CloudFlare account. Once successful it will download your DNS records. You can then select which one you want to update. DNS propagation may take some time. Check CloudFlare to see if the address matches your IP address, then test from another internet connection.

It’s usually only $5-10 a year to register a domain. CloudFlare is a free service. This solution is cost effective and cleaner than having a subdomain of a free Dynamic DNS provider. No need to worry about confirming the DNS every 30 days, and is far nicer than

Note: In some environments (64-bit) CloudFlare DDNS Updater will not install as a service, there is a bug in v0.1. If you set the username as .\username rather than just username, it will successfully install as a service.

WordPress Logo

Stay logged in with WordPress on Subdomains

A clients site performs some magic to show different content per subdomain. By default each subdomain asks you to login, which is a bit annoying. It would be convenient if admins of a single WordPress installation could stay logged in when they jump between subdomains.

I found that all we needed to do was set the cookie domain and path in wp-config.php. At first it seemed only COOKIE_DOMAIN and COOKIEPATH would be needed, but it did not behave until COOKIEHASH was also set. You could probably set it to anything you like, I just had a defined variable already.

 * Set cookie properties to allow persistent login across subdomains.
define('MY_DOMAIN', '');
define('COOKIEPATH', '/');
define('COOKIEHASH', md5(MY_DOMAIN) );

This may also work between WordPress installations across subdomains. I haven’t tested this theory. Both installations would require the same login details and this config. It is working with WordPress versions 3.8+.