- Intro
- Mistakes / Contribute / Sponsor
- Cloudflare News Items of Importance
- Argo Tiered Cache Free to All
- Cloudflare WordPress APO
- Cloudflare Free Plan
- Missing Features
- WordPress Firewall Rules
- Cloudflare Firewall Resources
- Common Cloudflare Firewall Rules
- Block Bad Bots (Huge Rules)
- Aggressive Firewall Rules (Whitelist Admin Logins by IP)
- Bad Content and User Agents Firewall Rules
- Cloudflare Pro Plan
- Cloudflare Access
- Cloudflare Tools
- Cloudflare Workers
- Cloudflare Worker Scripts
- Cloudflare Features
Intro
This page talks about Cloudflare and it's offerings and how to use it with WordPress.
Mistakes / Contribute / Sponsor
Cloudflare News Items of Importance
Argo Tiered Cache Free to All
More news here https://blog.cloudflare.com/orpheus/
Cloudflare WordPress APO
Nothing here yet. Hopefully discuss APO vs Pro plan.
Cloudflare Free Plan
Missing Features
When you sign-up for the free plan on Clouldfare, you won't have access to a number of features. Here are some important ones. Please note this might be out of date.
- Managed Rules
- Raw Logs
- WordPress APO
- Superbots
- +More...
WordPress Firewall Rules
Since Managed Rules aren't available in the free plan. You'll need to create custom rules to protect your WordPress site on Cloudflare.
Below are some examples I've collected. You can create these rules two ways. Either through the expression builder, with drop-downs. Or you can click "Edit Expression" and copy and paste the rule and then simply set the action with the drop-down. Below is a screenshot of where the "Edit Expression" is located.
Cloudflare Firewall Resources
Common Cloudflare Firewall Rules
These rules are pretty common and are generally safe to apply.
Name | Tag | Field | Operator | Value | Action | Expression Preview |
---|---|---|---|---|---|---|
security | URI Path | equals | /xmlrpc.php | block | (http.request.uri.path contains "/xmlrpc.php") | |
securitycountry | URI | contains | wp-login.php | and | ||
Country | is not in | Canada | captcha | (http.request.uri contains "wp-login.php" and not ip.geoip.country in {"CA"}) | ||
User Agent | contains | ahrefs | or | |||
User Agent | contains | opensite | or | |||
User Agent | contains | dotbot | block | (http.user_agent contains "semrush") or (http.user_agent contains "ahrefs") or (http.user_agent contains "opensite") or (http.user_agent contains "dotbot") | ||
security | URI Path | contains | /xmlrpc.php | or | ((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php")) | |
UR Path | contains | /wp-login.php | or | |||
UR Path | contains | /wp-admin/ | and | |||
UR Path | contains | /wp-admin/admin-ajax.php | and | |||
UR Path | contains | /wp-admin/theme-editor.php | Captcha | |||
securitycountry | Country | equals | Russian Federation | or | ||
Country | equals | Hong Kong | block | (ip.geoip.country eq "RU") or (ip.geoip.country eq "HK") | ||
securitycountry | Country | does not equal | United States | or | ||
Country | does not equal | Canada | block | (ip.geoip.country ne "US") or (ip.geoip.country ne "CA") | ||
security | Threat Score | greater than | 10 | captcha | (cf.threat_score ge 10) | |
security | Threat Score | greater than | 20 | block | (cf.threat_score ge 20) | |
bots | User Agent | contains | semrush | or |
Block Bad Bots (Huge Rules)
Name | Tag | Field | Operator | Value | Action | Expression Preview |
---|---|---|---|---|---|---|
bots | (http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) | |||||
security | (http.user_agent contains "?%00") or
(http.user_agent contains "/bin/") or
(lower(http.user_agent) contains "curl") or
(http.user_agent contains "echo ") or
(http.user_agent contains "eval(") or
(http.user_agent contains "wget ") or
(http.user_agent contains "AhrefsBot") or
(http.user_agent contains "ALittle") or
(http.user_agent contains "baidu") or
(http.user_agent contains "coccocbot") or
(http.user_agent contains "DavClnt") or
(http.user_agent contains "DnyzBot") or
(http.user_agent contains "DotBot") or
(http.user_agent contains "GRequest") or
(http.user_agent contains "Hello") or
(http.user_agent contains "http-client") or
(http.user_agent contains "nowledge") or
(http.user_agent contains "Lua") or
(http.user_agent contains "mail.ru") or
(http.user_agent contains "My User Agent") or
(http.user_agent contains "NetSystemsResearch") or
(http.user_agent contains "Nikto") or
(http.user_agent contains "Nimbostratus") or
(http.user_agent contains "PetalBot") or
(lower(http.user_agent) contains "python") or
(http.user_agent contains "ReactorNetty") or
(http.user_agent contains "RestSharp") or
(http.user_agent contains "Scrapy") or
(http.user_agent contains "SeznamBot") or
(http.user_agent contains "Sogou") or
(http.user_agent contains "spbot") or
(http.user_agent contains "Uptimebot") or
(http.user_agent contains "WebDAV-MiniRedir") or
(http.user_agent contains "WinHttp.WinHttpRequest") or
(http.user_agent contains "YandexBot") or
(http.user_agent contains "ZmEu") |
Aggressive Firewall Rules (Whitelist Admin Logins by IP)
If you wish to go a step further, you can whitelist admins by IP and create more aggressive firewall rules. This may cause issues with admin users that have frequently changing IP Addresses.
Credit goes to https://turbofuture.com/internet/Cloudflare-Firewall-Rules-for-Securing-WordPress for these rules.
Note: you can apply the above rules in-addition to the rules below
Name | Tag | Field | Operator | Value | Action | Expression Preview |
---|---|---|---|---|---|---|
securityagressive | URI Path | contains | /wp-admin/ | and | (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php") | |
URI Path | does not contain | /wp-admin/admin-ajax.php | and | |||
URI Path | does not contain | /wp-admin/theme-editor.php | block | |||
securityagressive | URI Path | contains | /wp-login.php | block | (http.request.uri.path contains "/wp-login.php") | |
securityagressive | URI Path | contains | /wp-content/plugins/ | and | (http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "yoursite.com" and not cf.client.bot) | |
Referer | does not contain | yoursite.com (your domain) | and | |||
Known Bots | block | |||||
securityagressive | URI Path | equals | /wp-comments-post.php | and | (http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "yoursite.com") | |
Request Method | equals | POST | and | |||
Referer | does not contain | yoursite.com (your domain) | block | |||
Bad Content and User Agents Firewall Rules
These are large rules to block against specific content and user agents. Be careful with these are they might produce issues and false positives.
Name | Tag | Field | Operator | Value | Action | Expression Preview |
---|---|---|---|---|---|---|
bots | (http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) | |||||
security | (http.user_agent contains "?%00") or
(http.user_agent contains "/bin/") or
(lower(http.user_agent) contains "curl") or
(http.user_agent contains "echo ") or
(http.user_agent contains "eval(") or
(http.user_agent contains "wget ") or
(http.user_agent contains "AhrefsBot") or
(http.user_agent contains "ALittle") or
(http.user_agent contains "baidu") or
(http.user_agent contains "coccocbot") or
(http.user_agent contains "DavClnt") or
(http.user_agent contains "DnyzBot") or
(http.user_agent contains "DotBot") or
(http.user_agent contains "GRequest") or
(http.user_agent contains "Hello") or
(http.user_agent contains "http-client") or
(http.user_agent contains "nowledge") or
(http.user_agent contains "Lua") or
(http.user_agent contains "mail.ru") or
(http.user_agent contains "My User Agent") or
(http.user_agent contains "NetSystemsResearch") or
(http.user_agent contains "Nikto") or
(http.user_agent contains "Nimbostratus") or
(http.user_agent contains "PetalBot") or
(lower(http.user_agent) contains "python") or
(http.user_agent contains "ReactorNetty") or
(http.user_agent contains "RestSharp") or
(http.user_agent contains "Scrapy") or
(http.user_agent contains "SeznamBot") or
(http.user_agent contains "Sogou") or
(http.user_agent contains "spbot") or
(http.user_agent contains "Uptimebot") or
(http.user_agent contains "WebDAV-MiniRedir") or
(http.user_agent contains "WinHttp.WinHttpRequest") or
(http.user_agent contains "YandexBot") or
(http.user_agent contains "ZmEu") |
Cloudflare Pro Plan
Need to flesh this out.
Cloudflare Access
Hoping to discuss how to develop locally but allow for external access for review.
Cloudflare Tools
- Remove all DNS Records for Zone - https://medium.com/@quentinrozados/how-to-remove-all-cloudflare-dns-bulk-remove-93bd2a0366ba