Disclaimer: This blog has been written with no assistance from Artificial Intelligence (AI). This post has not been sponsored, nor have I received any free products that others would not be able to access for free. This blog is not intended as a tutorial, but as a high-level “here’s something that’s possible”-style blog.
It seems like every year there’s at least one critical-severity vulnerability in WordPress or one of the major plugins. These issues are sometimes related to admin pages or settings that could either be accessed without appropriate permissions, or while unauthenticated.
The Search
I wasn’t happy with that risk, so I decided to do something about it. I had a few priorities when I looked at possible solutions:
- External to WordPress – If WordPress itself was compromised, I wanted to know that this security solution would work irrespective of that and protect access to my admin panel
- Reputable & Recognisable – If I haven’t heard of the company before in the internet space, then it’s probably not going to work very well.
- Integrated with other measures – It should integrate neatly with other solutions (e.g. my on-prem identity provider) without too much hassle
- Low-Cost – Ideally I’d like to limit the amount of money I’m spending to deliver this product
Enter Cloudflare Zero Trust
Cloudflare Zero Trust is one of those products that sounds like it should be extremely costly or difficult, but actually it was pretty easy to set up.
It ticked all the boxes:
- External to WordPress – Cloudflare Tunnel allows connections to go through the security proxy before even connecting to my website. If it detects an access attempt to the login or admin pages, it redirects it for authentication.
- Reputable & Recognisable – Cloudflare is a well-known company with an established suite of products in the internet security space.
- Integrations – It natively integrates with external identity providers, or even email-based one-time-passcodes, and even allows me to add other attributes (e.g. “must be connecting from the UK”, “must be from a WARP-registered device”, etc.).
- Low-Cost – It’s free for up to 50 users. Which, as this website is just me, works pretty well.
Easier than you think
To start, I needed a domain. Easy tick, I have several (including the one you’re using).
As Authentik is my identity provider, it was possible to follow their documentation for integrating with OAuth2.
To allow Zero Trust to kick in, you need to proxy the website through Cloudflare’s network. This was already done, as the website is hosted through a Cloudflare Tunnel.
You can then create your access policies, defining what must be true to allow (or, indeed, to deny) access to your dashboard. Once you have those, you attach them to an application, which includes things like domains and paths to protect.
Give it a few seconds to sync across the Cloudflare network, and (assuming everything has been configured correctly) your admin page should now prompt for external OAuth2 authentication before being presented with the login page.