We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

How to fix Cloudflare blocking access to the WordPress admin

Nathan Chapman

Cloudflare is a powerful security and performance tool for WordPress sites, but overly strict firewall or Web Application Firewall (WAF) rules can sometimes prevent legitimate users from accessing the site’s backend. We recently worked with a client who kept encountering Cloudflare critical error screens when attempting to log in and edit their WordPress site, even though the site frontend was working normally.

Here’s how we identified and fixed the issue.

Issue Background

The client reported that multiple team members, using different devices, were being blocked when attempting to log into the WordPress admin.

Symptoms included:

  • Cloudflare “critical error” page displayed instead of the dashboard.
  • Errors persisted even after clearing caches, logging out, and testing in private/incognito mode.
  • The issue was reproducible for more than one team member, ruling out a local browser problem.

Diagnosis

Our investigation revealed:

  • The Cloudflare block was not due to WordPress itself, but Cloudflare’s Web Application Firewall (WAF) filtering requests.
  • The affected users were connecting through a VPN. Cloudflare was flagging their VPN IP addresses as suspicious and blocking access.
  • Other users without VPN enabled were able to access the backend without issues.

Resolution Steps

We took the following steps to restore access:

  1. Replicated the issue: Confirmed that the block only occurred for users connecting through specific VPN IP addresses.
  2. Cloudflare security settings: With access from the client’s CTO, we navigated to:
    • Cloudflare Dashboard → Security → WAF
    • Added the VPN IP addresses to the allowlist.
  3. Verified with multiple users: After whitelisting, we tested again with three different users on different connections. All were able to log into WordPress without encountering the Cloudflare block.
  4. Documented future-proofing: Advised the client to:
    • Maintain an up-to-date list of VPN IP addresses.
    • Use Cloudflare’s “Allow” rules instead of temporarily disabling protections.
    • If issues persist, set up Cloudflare Access policies to define trusted networks for admin access.

Final Outcome

By adjusting the Cloudflare firewall settings, legitimate users regained consistent access to the WordPress backend without disabling important security features.

This fix balanced security (keeping Cloudflare’s protections in place) with usability (ensuring that authorized editors can always log in).

If your team is experiencing login issues or Cloudflare is blocking access to your WordPress site, contact Freshy for expert support in configuring Cloudflare for both security and usability.

Nathan Chapmanhttps://freshysites.com/team/nathan-chapman/
Nathan was raised both a computer nerd and a musician. After receiving a bachelors degree in classical music (and quickly realizing it wasn’t an ideal career choice), he began to work in web development. With over 5 years of experience, he’s seen just about everything WordPress has to offer, and is always looking to learn more. He loves solving puzzles, building web pages, and custom coding anything he can think of. Although Boston born, he spends most of his time south of the border in Monterrey; the tacos are just impossible to give up.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
How to fix WooCommerce product filter issues by replacing outdated plugins
Next Post
Case study: fixing missing featured images on WordPress location pages