Cloudflare
โ˜๏ธ

Cloudflare

Intro

This page talks about Cloudflare and it's offerings and how to use it with WordPress.

Mistakes / Contribute / Sponsor

๐Ÿ’ก

If any of the information is incorrect incorrect or you would like to contribute to this article. Please email us via our contact form or email address! ๐Ÿ“งโ—€

๐Ÿ’ต

If you found this article useful! Please consider sponsoring our site! โ—€

Cloudflare News Items of Importance

Argo Tiered Cache Free to All

Cloudflare WordPress APO

Nothing here yet. Hopefully discuss APO vs Pro plan.

Cloudflare Free Plan

Missing Features

When you sign-up for the free plan on Clouldfare, you won't have access to a number of features. Here are some important ones. Please note this might be out of date.

  • Managed Rules
  • Raw Logs
  • WordPress APO
  • Superbots
  • +More...

WordPress Firewall Rules

Since Managed Rules aren't available in the free plan. You'll need to create custom rules to protect your WordPress site on Cloudflare.

Below are some examples I've collected. You can create these rules two ways. Either through the expression builder, with drop-downs. Or you can click "Edit Expression" and copy and paste the rule and then simply set the action with the drop-down. Below is a screenshot of where the "Edit Expression" is located.

image

Cloudflare Firewall Resources

Common Cloudflare Firewall Rules

These rules are pretty common and are generally safe to apply.

Common Rules

NameTagFieldOperatorValueActionExpression Preview
Block xml-rpc Attacks
security
URI Path
equals
/xmlrpc.php
block
(http.request.uri.path contains "/xmlrpc.php")
Block Non-Local Logins
securitycountry
URI
contains
wp-login.php
and
Country
is not in
Canada
captcha
(http.request.uri contains "wp-login.php" and not ip.geoip.country in {"CA"})
User Agent
contains
ahrefs
or
User Agent
contains
opensite
or
User Agent
contains
dotbot
block
(http.user_agent contains "semrush") or (http.user_agent contains "ahrefs") or (http.user_agent contains "opensite") or (http.user_agent contains "dotbot")
Add Captcha to Important Pages
security
URI Path
contains
/xmlrpc.php
or
((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php"))
UR Path
contains
/wp-login.php
or
UR Path
contains
/wp-admin/
and
UR Path
contains
/wp-admin/admin-ajax.php
and
UR Path
contains
/wp-admin/theme-editor.php
Captcha
Block Specific Countries
securitycountry
Country
equals
Russian Federation
or
Country
equals
Hong Kong
block
(ip.geoip.country eq "RU") or (ip.geoip.country eq "HK")
Block All Countries Except
securitycountry
Country
does not equal
United States
or
Country
does not equal
Canada
block
(ip.geoip.country ne "US") or (ip.geoip.country ne "CA")
Require Catpcha for Threat Score of 10
security
Threat Score
greater than
10
captcha
(cf.threat_score ge 10)
Block Threat Score greater than 20
security
Threat Score
greater than
20
block
(cf.threat_score ge 20)
Bloc SEO Crawlers
bots
User Agent
contains
semrush
or

Block Bad Bots (Huge Rules)

Block Bad Bots

NameTagFieldOperatorValueActionExpression Preview
Block Bad Bots (Large List)
bots
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)
Block Bad Requests (Large)
security
(http.user_agent contains "?%00") or (http.user_agent contains "/bin/") or (lower(http.user_agent) contains "curl") or (http.user_agent contains "echo ") or (http.user_agent contains "eval(") or (http.user_agent contains "wget ") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "ALittle") or (http.user_agent contains "baidu") or (http.user_agent contains "coccocbot") or (http.user_agent contains "DavClnt") or (http.user_agent contains "DnyzBot") or (http.user_agent contains "DotBot") or (http.user_agent contains "GRequest") or (http.user_agent contains "Hello") or (http.user_agent contains "http-client") or (http.user_agent contains "nowledge") or (http.user_agent contains "Lua") or (http.user_agent contains "mail.ru") or (http.user_agent contains "My User Agent") or (http.user_agent contains "NetSystemsResearch") or (http.user_agent contains "Nikto") or (http.user_agent contains "Nimbostratus") or (http.user_agent contains "PetalBot") or (lower(http.user_agent) contains "python") or (http.user_agent contains "ReactorNetty") or (http.user_agent contains "RestSharp") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SeznamBot") or (http.user_agent contains "Sogou") or (http.user_agent contains "spbot") or (http.user_agent contains "Uptimebot") or (http.user_agent contains "WebDAV-MiniRedir") or (http.user_agent contains "WinHttp.WinHttpRequest") or (http.user_agent contains "YandexBot") or (http.user_agent contains "ZmEu")

Aggressive Firewall Rules (Whitelist Admin Logins by IP)

If you wish to go a step further, you can whitelist admins by IP and create more aggressive firewall rules. This may cause issues with admin users that have frequently changing IP Addresses.

Note: you can apply the above rules in-addition to the rules below

Aggresive Whitelist IP

NameTagFieldOperatorValueActionExpression Preview
Protect the wp-admin Area
securityagressive
URI Path
contains
/wp-admin/
and
(http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")
URI Path
does not contain
/wp-admin/admin-ajax.php
and
URI Path
does not contain
/wp-admin/theme-editor.php
block
Block Admin Logins not from Whitelisted IP
securityagressive
URI Path
contains
/wp-login.php
block
(http.request.uri.path contains "/wp-login.php")
Block No-Referer Requests to Plugins
securityagressive
URI Path
contains
/wp-content/plugins/
and
(http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "yoursite.com" and not cf.client.bot)
Referer
does not contain
yoursite.com (your domain)
and
Known Bots
block
Block access to wp-comments.php
securityagressive
URI Path
equals
/wp-comments-post.php
and
(http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "yoursite.com")
Request Method
equals
POST
and
Referer
does not contain
yoursite.com (your domain)
block

Bad Content and User Agents Firewall Rules

These are large rules to block against specific content and user agents. Be careful with these are they might produce issues and false positives.

Bad Content and User Agent

NameTagFieldOperatorValueActionExpression Preview
Block Bad Bots (Large List)
bots
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)
Block Bad Requests (Large)
security
(http.user_agent contains "?%00") or (http.user_agent contains "/bin/") or (lower(http.user_agent) contains "curl") or (http.user_agent contains "echo ") or (http.user_agent contains "eval(") or (http.user_agent contains "wget ") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "ALittle") or (http.user_agent contains "baidu") or (http.user_agent contains "coccocbot") or (http.user_agent contains "DavClnt") or (http.user_agent contains "DnyzBot") or (http.user_agent contains "DotBot") or (http.user_agent contains "GRequest") or (http.user_agent contains "Hello") or (http.user_agent contains "http-client") or (http.user_agent contains "nowledge") or (http.user_agent contains "Lua") or (http.user_agent contains "mail.ru") or (http.user_agent contains "My User Agent") or (http.user_agent contains "NetSystemsResearch") or (http.user_agent contains "Nikto") or (http.user_agent contains "Nimbostratus") or (http.user_agent contains "PetalBot") or (lower(http.user_agent) contains "python") or (http.user_agent contains "ReactorNetty") or (http.user_agent contains "RestSharp") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SeznamBot") or (http.user_agent contains "Sogou") or (http.user_agent contains "spbot") or (http.user_agent contains "Uptimebot") or (http.user_agent contains "WebDAV-MiniRedir") or (http.user_agent contains "WinHttp.WinHttpRequest") or (http.user_agent contains "YandexBot") or (http.user_agent contains "ZmEu")

Cloudflare Pro Plan

Cloudflare Access

Hoping to discuss how to develop locally but allow for external access for review.