View Categories

Challenge VPN & Login

1 min read

The Challenge VPN & Login feature is a powerful layer of your Web Application Firewall (WAF). It is designed to stop bots and malicious actors who use Virtual Private Networks (VPNs) to hide their identity while attempting to attack your WordPress login page. By enabling this, you require visitors using known VPN services to pass a “challenge” (like a CAPTCHA or a browser verification) before they can access sensitive areas of your site.

Challenge VPN & Login rules in waf using ultiamte security

Enable Challenge VPN Connections & wp-login

This activates the entire VPN and login protection system. If this is off, none of the settings below will take effect. Toggle the Enable switch to turn the protection on. Once active, it monitors traffic from known VPN providers and applies security checks to anyone trying to reach your login page.

Enable Challenge VPN Connections & wp-login in waf rules using ultiamte security

VPN Providers Section

When this is toggled ON, the plugin will automatically challenge traffic from all major providers. If you want to allow some VPNs but block others, turn off the “Challenge All” toggle and manually select the providers listed.

VPN Providers Section in waf rules

Available VPNs

  • NordVPN
  • ExpressVPN
  • PureVPN
  • Surfshark
  • IPVanish
  • QuadraNet
  • OVH France
  • Mullvad VPN
  • Private Layer

Protected Paths

WordPress Login (wp-login.php): This is the default WordPress login page. When enabled, anyone trying to access wp-login.php will be challenged.

Custom Login URL Section

Protects a custom login URL if you have changed it from the default wp-login.php. Ultimate Security itself lets you rename your login page to something like /my-secret-login/ instead of /wp-login.php. This hides your login page from casual attackers. If you have done this, you need to tell the WAF to protect that custom URL too

Custom Login URL Section protection using waf rules in ultimate security

Text field: Enter your custom login path in the placeholder.

Deploy to Cloudflare

After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare.

deploy to cloudflare from waf settings

Deploy Rules: Pushes your saved settings to Cloudflare and activates them live
Preview Rules: Shows you the exact rule expressions that will be generated. Review before deploying
Remove Plugin Rules: Removes all WAF rules created by this plugin from Cloudflare
Zone Selector: Choose which Cloudflare domain (zone) to deploy to.

How Deployment Works From the Plugin:

  1. Save your WAF settings first using the Save Changes button at the bottom of the page
  2. Select the Cloudflare zone you want to protect
  3. Preview Rules shows the current draft output, including source tags for each generated rule
  4. Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules

The plugin only manages its own rules. It won’t delete or overwrite any rules you created manually in Cloudflare.

What are your Feelings

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top