- Intro
- Mistakes / Contribute / Sponsor
- Cloudflare News Items of Importance
- Argo Tiered Cache Free to All
- Cloudflare WordPress APO
- Cloudflare Free Plan
- Missing Features
- WordPress Firewall Rules
- Cloudflare Firewall Resources
- Common Cloudflare Firewall Rules
- Block Bad Bots (Huge Rules)
- Aggressive Firewall Rules (Whitelist Admin Logins by IP)
- Bad Content and User Agents Firewall Rules
- Cloudflare Pro Plan
- Cloudflare Access
- Cloudflare Tools
- Cloudflare Workers
- Cloudflare Worker Scripts
- Cloudflare Features
Intro
This page talks about Cloudflare and it's offerings and how to use it with WordPress.
Mistakes / Contribute / Sponsor
Cloudflare News Items of Importance
Argo Tiered Cache Free to All
More news here https://blog.cloudflare.com/orpheus/
Cloudflare WordPress APO
Nothing here yet. Hopefully discuss APO vs Pro plan.
Cloudflare Free Plan
Missing Features
When you sign-up for the free plan on Clouldfare, you won't have access to a number of features. Here are some important ones. Please note this might be out of date.
- Managed Rules
- Raw Logs
- WordPress APO
- Superbots
- +More...
WordPress Firewall Rules
Since Managed Rules aren't available in the free plan. You'll need to create custom rules to protect your WordPress site on Cloudflare.
Below are some examples I've collected. You can create these rules two ways. Either through the expression builder, with drop-downs. Or you can click "Edit Expression" and copy and paste the rule and then simply set the action with the drop-down. Below is a screenshot of where the "Edit Expression" is located.
Cloudflare Firewall Resources
Common Cloudflare Firewall Rules
These rules are pretty common and are generally safe to apply.
Name | Tag | Field | Operator | Value | Action | Expression Preview |
---|---|---|---|---|---|---|
Block xml-rpc Attacks | security | URI Path | equals | /xmlrpc.php | block | (http.request.uri.path contains "/xmlrpc.php") |
Block Non-Local Logins | securitycountry | URI | contains | wp-login.php | and | |
Country | is not in | Canada | captcha | (http.request.uri contains "wp-login.php" and not ip.geoip.country in {"CA"}) | ||
User Agent | contains | ahrefs | or | |||
User Agent | contains | opensite | or | |||
User Agent | contains | dotbot | block | (http.user_agent contains "semrush") or (http.user_agent contains "ahrefs") or (http.user_agent contains "opensite") or (http.user_agent contains "dotbot") | ||
Add Captcha to Important Pages | security | URI Path | contains | /xmlrpc.php | or | ((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php")) |
UR Path | contains | /wp-login.php | or | |||
UR Path | contains | /wp-admin/ | and | |||
UR Path | contains | /wp-admin/admin-ajax.php | and | |||
UR Path | contains | /wp-admin/theme-editor.php | Captcha | |||
Block Specific Countries | securitycountry | Country | equals | Russian Federation | or | |
Country | equals | Hong Kong | block | (ip.geoip.country eq "RU") or (ip.geoip.country eq "HK") | ||
Block All Countries Except | securitycountry | Country | does not equal | United States | or | |
Country | does not equal | Canada | block | (ip.geoip.country ne "US") or (ip.geoip.country ne "CA") | ||
Require Catpcha for Threat Score of 10 | security | Threat Score | greater than | 10 | captcha | (cf.threat_score ge 10) |
Block Threat Score greater than 20 | security | Threat Score | greater than | 20 | block | (cf.threat_score ge 20) |
Bloc SEO Crawlers | bots | User Agent | contains | semrush | or |
Block Bad Bots (Huge Rules)
Name | Tag | Field | Operator | Value | Action | Expression Preview |
---|---|---|---|---|---|---|
Block Bad Bots (Large List) | bots | (http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) | ||||
Block Bad Requests (Large) | security | (http.user_agent contains "?%00") or
(http.user_agent contains "/bin/") or
(lower(http.user_agent) contains "curl") or
(http.user_agent contains "echo ") or
(http.user_agent contains "eval(") or
(http.user_agent contains "wget ") or
(http.user_agent contains "AhrefsBot") or
(http.user_agent contains "ALittle") or
(http.user_agent contains "baidu") or
(http.user_agent contains "coccocbot") or
(http.user_agent contains "DavClnt") or
(http.user_agent contains "DnyzBot") or
(http.user_agent contains "DotBot") or
(http.user_agent contains "GRequest") or
(http.user_agent contains "Hello") or
(http.user_agent contains "http-client") or
(http.user_agent contains "nowledge") or
(http.user_agent contains "Lua") or
(http.user_agent contains "mail.ru") or
(http.user_agent contains "My User Agent") or
(http.user_agent contains "NetSystemsResearch") or
(http.user_agent contains "Nikto") or
(http.user_agent contains "Nimbostratus") or
(http.user_agent contains "PetalBot") or
(lower(http.user_agent) contains "python") or
(http.user_agent contains "ReactorNetty") or
(http.user_agent contains "RestSharp") or
(http.user_agent contains "Scrapy") or
(http.user_agent contains "SeznamBot") or
(http.user_agent contains "Sogou") or
(http.user_agent contains "spbot") or
(http.user_agent contains "Uptimebot") or
(http.user_agent contains "WebDAV-MiniRedir") or
(http.user_agent contains "WinHttp.WinHttpRequest") or
(http.user_agent contains "YandexBot") or
(http.user_agent contains "ZmEu") |
Aggressive Firewall Rules (Whitelist Admin Logins by IP)
If you wish to go a step further, you can whitelist admins by IP and create more aggressive firewall rules. This may cause issues with admin users that have frequently changing IP Addresses.
Credit goes to https://turbofuture.com/internet/Cloudflare-Firewall-Rules-for-Securing-WordPress for these rules.
Note: you can apply the above rules in-addition to the rules below
Name | Tag | Field | Operator | Value | Action | Expression Preview |
---|---|---|---|---|---|---|
Protect the wp-admin Area | securityagressive | URI Path | contains | /wp-admin/ | and | (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php") |
URI Path | does not contain | /wp-admin/admin-ajax.php | and | |||
URI Path | does not contain | /wp-admin/theme-editor.php | block | |||
Block Admin Logins not from Whitelisted IP | securityagressive | URI Path | contains | /wp-login.php | block | (http.request.uri.path contains "/wp-login.php") |
Block No-Referer Requests to Plugins | securityagressive | URI Path | contains | /wp-content/plugins/ | and | (http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "yoursite.com" and not cf.client.bot) |
Referer | does not contain | yoursite.com (your domain) | and | |||
Known Bots | block | |||||
Block access to wp-comments.php | securityagressive | URI Path | equals | /wp-comments-post.php | and | (http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "yoursite.com") |
Request Method | equals | POST | and | |||
Referer | does not contain | yoursite.com (your domain) | block | |||
Bad Content and User Agents Firewall Rules
These are large rules to block against specific content and user agents. Be careful with these are they might produce issues and false positives.
Name | Tag | Field | Operator | Value | Action | Expression Preview |
---|---|---|---|---|---|---|
Block Bad Bots (Large List) | bots | (http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) | ||||
Block Bad Requests (Large) | security | (http.user_agent contains "?%00") or
(http.user_agent contains "/bin/") or
(lower(http.user_agent) contains "curl") or
(http.user_agent contains "echo ") or
(http.user_agent contains "eval(") or
(http.user_agent contains "wget ") or
(http.user_agent contains "AhrefsBot") or
(http.user_agent contains "ALittle") or
(http.user_agent contains "baidu") or
(http.user_agent contains "coccocbot") or
(http.user_agent contains "DavClnt") or
(http.user_agent contains "DnyzBot") or
(http.user_agent contains "DotBot") or
(http.user_agent contains "GRequest") or
(http.user_agent contains "Hello") or
(http.user_agent contains "http-client") or
(http.user_agent contains "nowledge") or
(http.user_agent contains "Lua") or
(http.user_agent contains "mail.ru") or
(http.user_agent contains "My User Agent") or
(http.user_agent contains "NetSystemsResearch") or
(http.user_agent contains "Nikto") or
(http.user_agent contains "Nimbostratus") or
(http.user_agent contains "PetalBot") or
(lower(http.user_agent) contains "python") or
(http.user_agent contains "ReactorNetty") or
(http.user_agent contains "RestSharp") or
(http.user_agent contains "Scrapy") or
(http.user_agent contains "SeznamBot") or
(http.user_agent contains "Sogou") or
(http.user_agent contains "spbot") or
(http.user_agent contains "Uptimebot") or
(http.user_agent contains "WebDAV-MiniRedir") or
(http.user_agent contains "WinHttp.WinHttpRequest") or
(http.user_agent contains "YandexBot") or
(http.user_agent contains "ZmEu") |
Cloudflare Pro Plan
Need to flesh this out.
Cloudflare Access
Hoping to discuss how to develop locally but allow for external access for review.
Cloudflare Tools
- Remove all DNS Records for Zone - https://medium.com/@quentinrozados/how-to-remove-all-cloudflare-dns-bulk-remove-93bd2a0366ba