<![CDATA[Servers used to run WordPress-based web applications face serious challenges due to a wide attack surface, especially when backend and SSH access are exposed to the public. This study designs and implements an access protection architecture for servers and websites by combining Cloudflare proxy, Virtual Private Network (VPN), and Web Application Firewall (WAF) to mitigate these risks. An experimental method is employed by building a simulated LAMP and WordPress-based infrastructure on two Virtual Private Servers (VPS), where all public traffic is routed through Cloudflare and administrative access is strictly limited to VPN tunnels. The test results show that the proposed architecture effectively eliminates unauthorized access to backend pages and SSH services without disrupting public access to the website. This approach demonstrates that a simple layered defense strategy can be practically applied to enhance server security while providing a protection model that can be replicated for similar infrastructures.]]>
