Cloudflare Zero Trust is nifty

Cloudflare Zero Trust (free for up to 50 users) is a great idea for people who run their sites through Cloudflare.

Among other things, it can be used to secure access to certain pages of your site without making changes to the site itself. As an example, the Bookmarks page on this site contains my list of sites and services I access often, so it is usually set as my home page.

The Problem

So it’s all good and well to have a bookmarks list I can access from any browser, but it contains some stuff that isn’t for public view. Access to the page should be limited to me alone.

Solution 1 (not that great)

My first solution was to make the page Private in WordPress, which works just fine but has one small problem. If the browser I’m opening it in isn’t logged in to my WordPress, I first have to go to the WordPress admin URL and log in. So that’s a manual edit in the address bar. Then I have to either edit the address bar again to get to my bookmarks page, or click through a couple of times to view the page.

It works, but it’s not ideal.

Solution 2 (this one is nifty)

So here’s what I did. I created a Self Hosted Application in Zero Trust with the URL of my Bookmarks page and limited the access to just my Zero Trust accounts (one OTP based and one Gmail). Then I changed the page to Public in WordPress.

Now, when I go to the bookmarks page in a browser, one of two things can happen:

If the browser I’m using is logged in to Zero Trust, the page just opens regardless of whether I’m logged in to WordPress.

If the browser I’m using isn’t logged in to Zero Trust, I get presented with the Cloudflare Zero Trust authentication page. Once I autherticate, the Bookmarks page opens.

Of course, to secure my site a bit further, I also did this for the WordPress Admin URL, so it’s not as easy for people to run dictionary attacks against my site’s admin interface.

Also see