Securing wp-login through .htaccess behind CloudFlare or CDN

One of the common steps taken to secure a WordPress installation is to restrict access to wp-login.php using .htaccess rules. This restricts who can login to the website by specifying which networks can and blocking everything else.

For example, this would restrict access to wp-login.php for all networks except for 192.1.1.1 and 192.2.2.2

order deny, allow
deny from all
allow from 192.1.1.1
allow from 192.2.2.2

But this won’t work when the website is connected through CloudFlare – as all requests will be coming through the CloudFlare network.

Instead, you can use the following

SetEnvIf X-FORWARDED-FOR 192.1.1.1 allow
SetEnvIf X-FORWARDED-FOR 192.2.2.2 allow
order deny,allow
deny from all
allow from env=allow