Cloudflare Firewall Rules for Securing WordPress Websites

11 min read

Important

Always be sure to check that your site is functioning correctly after implementing any kind of additional security, including the Cloudflare rules detailed in this article.

Introduction

Cloudflare offers an excellent (and easy) way to lock down and secure various endpoints on your WordPress websites, as well as offering a simple one-click DDOS protection measure should you ever come under a serious attack. In this blog post, we’ll take a look at a variety of different rules you could employ. Cloudflare’s free plan comes with the ability to add 5 rules, so you can choose the ones that will best complement your existing server and application-level security setup. These rules fall under 4 categories: Locking down endpoints, preventing spam, blocking bad bots, and country/continent-based blocking.

Table of Contents

You can also learn more about using Cloudflare’s firewall rules and what’s available per plan in their official documentation here: Cloudflare Firewall Rules Docs.

Information

The Cloudflare proxy must be active on your website for the firewall rules you set to take place. Please ensure that you set orange clouds for your A and CNAME records.

Creating a Firewall Rule

Creating Cloudflare firewall rules is quick and easy. Inside your Cloudflare account choose your website and then click through to the Security > WAF page. Here click the Create a Firewall Rule button.

At the time of writing, Cloudflare have recently moved some of their security settings around as you can see in the above screenshot.

Rule Consolidation

One of the great things about Cloudflare’s rules is just how much you can do with one rule. Many of the sections below can be consolidated into one singular rule, leaving you with free additional rules for the future if you need them.

Part 1. Country or Continent Blocking

We’ll start off with country/continent blocking as it can be used creatively in the following sections as well.

If your website isn’t serving a global audience, then country/continent blocking can be a handy tool to block a ton of malicious traffic without needing to worry about blocking legitimate visitors who are your website’s target audience. Not expecting any visitors from outside of your own country? You can block them (though do note that our/your hosting support team may also be blocked if/when you need assistance).

Step 1. Create a Cloudflare Firewall Rule

Navigate to the Security > WAF page, and click the Create Firewall Rule button.

Step 2. Configure Your Firewall Rule Expression

First, give your rule an easy to identify name.

If you want to only allow specific countries, set the following:

  • Field: Country or Continent
  • Operator: “Is in” 
  • Value: Choose your countries/continents

If you’re only allowing traffic from one country you can instead choose “equals” as the operator.

If you instead want to block specific countries, set the following:

  • Field: Country or Continent
  • Operator: “Is not in” 
  • Value: Choose your countries/continents

Here’s an example of allowing all countries except the US and Canada:

Step 3. Set the Action and Deploy Your Rule

Cloudflare can block all requests that break the rule outright. When ready, click the Deploy button to set your new firewall rule live.

Part 2. Locking Down WordPress

There are numerous different ways to approach locking down your site. Below I’ve split them into two categories:

  1. The first details locking down various endpoints.
  2. The second details restricting access to your login page and the /wp-admin area.

As mentioned earlier, many of these can be combined into one single rule.

2.1 Mass Lockdown

With this rule we’ll lock down xmlrpc.php, access to /wp-content/, and access to /wp-includes/

Information

The following block on /wp-content/ will prevent files such as PDF's from being directly accessible. If you link to any files here anywhere other than your WordPress website (such as in an email). You can create an exception to these by creating an additional rule, for example:
AND "URI path" "does not include" ".pdf"

Step 1. Create a Cloudflare Firewall Rule

Navigate to the Security > WAF page, and click the Create Firewall Rule button.

Step 2. Configure Your Firewall Rule Expression

First, give your rule an easy to identify name.

Here we’ll create 3 separate rules for each of the area’s outlined above. First, we’ll simply block direct access to xmlrpc.php with:

  • Field: URI Path
  • Operator: “contains
  • Value: /xmlrpc.php

Use the OR option on the right-hand side to create two additional rules as follows:

  • Field: URI Path
  • Operator: “contains
  • Value: (1) /wp-content/ and (2) /wp-includes/

AND

  • Field: Referer
  • Operator: “does not contain
  • Value: your website URL

It looks as follows:

If you’d like to use the same, or use this as a starting point, you can copy the following expression:

(http.request.uri eq "/xmlrpc.php") or (http.request.uri.path contains "/wp-content/" and not http.referer contains "yourwebsitehere.com") or (http.request.uri.path contains "/wp-includes/" and not http.referer contains "yourwebsitehere.com")

Inside your Firewall rule, click “Edit Expression” and paste the above.

From here you can continue editing the firewall rule to your liking.

Step 3. Set the Action and Deploy Your Rule

Cloudflare can block all requests that break the rule outright. When ready, click the Deploy button to set your new firewall rule live.

2.2 Restrict to /wp-admin/ and /wp-login.php

The following details locking down two area’s vital to accessing your website. Use with caution when working on client websites.

Step 1. Create a Cloudflare Firewall Rule

Navigate to the Security > WAF page, and click the Create Firewall Rule button.

Step 2. Configure Your Firewall Rule Expression

First, give your rule an easy to identify name.

Here’s an example rule:

In this example, I’ve used two different ways to block access to these areas just for demonstration purposes. I’ve locked down the /wp-login.php page to only be available when accessed via a specific query string.

The /wp-admin/ area has been locked down to a single IP address only unless it’s specifically the /wp-admin/admin-ajax.php file. This could instead be blocked entirely, and then you could use the WAF “Tools” tab to whitelist your IP address and those of your clients to bypass all firewall rules instead.

To keep things simple for client sites, you could lock these down to their specific country. It’s not perfect, but it can still block a ton of potentially malicious traffic.

If you’d like to use the same rule pictured above as a starting point, you can copy the following expression:

(http.request.uri.path contains "/wp-login.php" and http.request.uri.query ne "steves-super-secret-login") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php" and ip.src ne 199.199.199.19)

Inside your Firewall rule, click “Edit Expression” and paste the above.

From here you can continue editing the firewall rule to your liking.

Step 3. Set the Action and Deploy Your Rule

Cloudflare can block all requests that break the rule outright.
When ready, click the Deploy button.

Part 3. Prevent Spam

Spam is a contact nuisance for nearly every website, whether it be through contact forms, comments, or both. We have a 2 part series digging into different strategies that are completely free to implement that you may also be interested in:

  1. How to Reduce Eric Jones Spam (and all the other Contact Form Spam)
  2. How to Stop WordPress Comment Spam Permanently (for FREE)

These contain the rules below as well as some non-Cloudflare alternatives. You can also learn more about the specifics of how spam is posted and how to address the root cause.

3.1 Prevent Contact Form Spam

The following is limited in its application as it’s specific to pages and not to contact forms themselves. However, if you have a regular website where contact forms aren’t on every page, then this is an extremely effective measure.

Step 1. Create a Cloudflare Firewall Rule

Navigate to the Security > WAF page, and click the Create Firewall Rule button.

2. Configure Your Firewall Rule Expressions

First, give your rule an easy to identify name.

Here is what my rule looks like:

This states that if:

  1. the URI is /contact/
  2. and the request is made over HTTP/1.0/1.1/1.2
  3. and it is NOT either Googlebot, Bingbot, DuckDuckBot, Facebot, Cloudflare, Slurp, or Alexa
  4. then perform ACTION (see below)

If you’d like to use the same, or use this as a starting point, you can copy the following expression:

(http.request.version in {"HTTP/1.0" "HTTP/1.1" "HTTP/1.2"} and http.request.uri eq "/contact/" and not http.user_agent contains "Googlebot" and not http.user_agent contains "Bingbot" and not http.user_agent contains "DuckDuckBot" and not http.user_agent contains "facebot" and not http.user_agent contains "Slurp" and not http.user_agent contains "Alexa")

Next, inside your Firewall rule, click “Edit Expression” and paste the above.

From here you can continue editing the firewall rule to your liking.

3. Set the Action

I chose to outright block this traffic, but one of the great things about Cloudflare is that you can use their managed challenge or JS challenge to screen this traffic instead. Choose the option that you feel best suits your needs.

4. Deploy Your Rule

When ready, click the Deploy button to set your new firewall rule live.

3.2 Prevent Comment Spam

Here we’re going to restrict wp-comments-post.php to weed out bot traffic.

Denying bot traffic access to the wp-comments-post.php file can be done at the DNS level with a Cloudflare JS challenge. 

Unlike contact form spam, which can be a little more complex to deal with, blocking this traffic for comments is a simple matter. Automated spam submissions can’t process JS and thus fail Cloudflare’s JS challenge, which then blocks this traffic at the DNS layer before the request can even reach your server.

Step 1. Create a Cloudflare Firewall Rule

Navigate to the Security > WAF page, and click the Create Firewall Rule button.

Step 2. Configure Your Firewall Rule Expressions

First, give your rule a name that’s easy to identify.

Here is what the rule looks like:

This states that if:

  1. the URI contains /wp-comments-post.php
  2. then perform ACTION (see below)

Step 3. Set the Action

Cloudflare offers two methods that could be utilized here. One is their “Managed Challenge” and the other is their JS challenge. As the JS challenge only takes place after a visitor has browsed the page and submitted their comment, the very brief Cloudflare challenge page that pops up doesn’t interfere with the user’s actions beforehand.

Step 4. Deploy Your Rule

When ready, click the Deploy button to set your new firewall rule live.

3.3. 2 in 1: Block both form and comment spam

The following can be used as an alternative to the above two rules. It blocks submissions that aren’t made directly from your website, and thus blocks the automatic posting by spam bots.

Step 1. Create a Cloudflare Firewall Rule

Navigate to the Security > WAF page, and click the Create Firewall Rule button.

Step 2. Configure Your Firewall Rule Expression

First, give your rule an easy to identify name.

Here’s what the rule looks like:

This states that if:

  1. The URI contains either /wp-admin/admin-ajax.php or /wp-comments-post.php
  2. and the request method is POST
  3. and the referrer does not contain your website URL
  4. then perform ACTION (block in this case)
If you’d like to use the same, you can copy the following expression (be sure to replace the URL with your own website):
(http.request.uri contains "/wp-admin/admin-ajax.php" and http.request.method eq "POST" and not http.referer contains "yourwebsitehere.com") or (http.request.uri contains "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "yourwebsitehere.com")

Next, inside your Firewall rule, click “Edit Expression” and paste the above.

Step 3. Set the Action and Deploy Your Rule

Cloudflare can block all requests that break the rule outright.
When ready, click the Deploy button.

4. Block Bad Bots

Cloudflare allows you to block bots based on their user agent. Like country blocking, it’s quick and easy to setup.

7G Users: The 7G WAF contains a long list of bad bots that it blocks at the server level. If you’re already using 7G then you may want to give this one a miss and save your Cloudflare rules. You can also create your own 7G rule to block additional bots if ever needed.

Step 1. Create a Cloudflare Firewall Rule

Navigate to the Security > WAF page, and click the Create Firewall Rule button.

Step 2. Configure Your Firewall Rule Expression

First, give your rule an easy to identify name.

Next, set the following:

  • Field: User Agent
  • Operator: “Equals” or “Contains
  • Value: Add the name of the bad user agent

Add additional bots with the “OR” option on the right hand side.

Here’s an example of blocking multiple bots (and while these are bad bots, it’s only an example of how the rule can be used, not a comprehensive recommendation):

Step 3. Set the Action and Deploy Your Rule

Cloudflare can block all requests that break the rule outright.
When ready, click the Deploy button.

That’s a Wrap!

This is the first in a series of planned blog posts on making the most out of Cloudflare’s excellent suite of features for your WordPress websites. More to come in the near(ish) future!

If you’d like to learn more about WordPress security, you may also want to check out the following resources:

5 Comments

  1. Epic! Great read. Thank you so much for this high valuable post Steve!

    :: Question 1: Regarding Part 1. Country or Continent Blocking
    When I would restrict access to all but the Netherlands as an example, would scripts that send/receive data outside of the Netherlands still work? I suppose they do since they do not have to do anything with an IP?

    :: Question 2: Regarding Part 2. Locking Down WordPress
    Inside Gridpane under hardening, there are also is XMLRPC block option. Is that the same? Why would one set it up in Cloudflare then? Because it is closer to the source? IF so, I suppose it will be unnecessary to set the hardening in GP too?

    • Hey Alexander, no worries!

      Re Q1, I would expect what you’ve described would work fine, but I would still definitely test this to be sure.

      Re Q2, this is doing the same thing as the GridPane XML-RPC hardening measure, just at the DNS layer, so these requests never even reach the server. I personally do still use and recommend using of all the GridPane server-level measures as well though, including this, as if you ever do need to deactivate the Cloudflare proxy for any reason you have that security already in place. There’s no downside to having this active at both Cloudflare and GridPane.

      Hope this helps!

  2. Hi Steve, thanks for the helpful article.

    I have a little question about locking down the wp-login/wp-admin of my website. I tried to use a specific query string as you did in the example, but the rule is not working. Do I have to set something other than the WAF rule for making it work?

    • Hey Richard, no worries. I just checked this one and I actually confirmed the same thing. I may need to remove it from the article, but I’ll try sort a workaround and I’ll let you know!

Leave a Reply to RichardCancel Reply

Please check the box below to consent to the processing of the submitted personal data in accordance with our Privacy Policy, including the transfer of data to the United States.