Protecting WordPress with Cloudflare

I use CloudFlare to manage my site in terms of peaks in traffic (e.g. Caching) in addition as in essence a firewall. One of the great features of CloudFlare is the ability to control traffic before it hits the web server (through A2 Hosting) itself. As an example there is no point wasting server resources on crawlers and spiders if these are not of benefit to your site and or strategy. 

CloudFlare offers a few useful customization features (even on the free plan), one of these is Page Rules which allows the user to control caching, security et al from a page / URL level whilst the other is Firewall Rules.

This specific post focuses on Firewall Rules, as these are the way that you can block, challenge or even white-list based on a whole range of factors from User_Agent through to a threat score.

In order to add a firewall Rule, log into CloudFlare and click on the Firewall Icon. Once this has loaded click on the “Firewall Rules”. This will take you to a screen like the below (note, these are populated with my Firewall Rules)

Once you are in the Firewall Rules section, you would then click on Create a Firewall Rule which will open a screen like the below;

Once you are at this point, you can then click on Edit Expression which will allow you to enter the code rather than use the form generator. You can use either of the examples below but these may need to be modified to suit your specific needs. Please note care should be taken with these as they can result in unnecessarily blocking the wrong bot.

By setting Block as the action, it will block all requests which met the expression, you could also set this as JS Challenge or Challenge (Capcha).

Expression to Block Unwanted Bots and User Agents:

(cf.threat_score gt 15) or (http.user_agent contains “AhrefsBot/”) or (http.user_agent contains “BaiDuSpider”) or (http.user_agent contains “baidu.com”) or (http.user_agent contains “/bin/bash”) or (http.user_agent contains “crawler.feedback@gmail.com”) or (http.user_agent contains “DnyzBot/”) or (http.user_agent contains “DotBot/”) or (http.user_agent contains “eval(“) or (http.user_agent contains “Go-http-client/”) or (http.user_agent contains “Nikto”) or (http.user_agent contains “Nimbostratus”) or (http.user_agent contains “python-requests”) or (http.user_agent contains “Scrapy/”) or (http.user_agent contains “SeznamBot/”) or (http.user_agent contains “Sogou web spider/”) or (http.user_agent contains “spbot/”) or (http.user_agent contains “Uptimebot/”) or (http.user_agent contains “WebDAV-MiniRedir”) or (http.user_agent contains “WinHttp.WinHttpRequest”) or (http.user_agent contains “ZmEu”)

 

Expression for Content Protection:


(http.request.uri.query contains “author_name=”) or (http.request.uri.query contains “author=” and not http.request.uri.path contains “/wp-admin/export.php”) or (http.request.full_uri contains “wp-config.”) or (http.request.uri.path contains “/wp-json/”) or (http.request.uri.path contains “/wp-content/” and http.request.uri.path contains “.php”) or (http.request.uri.path contains “phpmyadmin”) or (http.request.uri.path contains “/phpunit”) or (http.request.full_uri contains “) or (http.cookie contains “) or (http.request.full_uri contains “../”) or (http.request.full_uri contains “../”) or (http.request.full_uri contains “passwd”) or (http.request.uri contains “/dfs/”) or (http.request.uri contains “/autodiscover/”) or (http.request.uri contains “/wpad.”) or (http.request.full_uri contains “webconfig.txt”) or (http.request.full_uri contains “vuln.”) or (http.request.uri.query contains “base64”) or (http.request.uri.query contains ) or (http.request.uri.query contains ) or (http.cookie contains ) or (http.referer contains ) or (upper(http.request.uri.query) contains ” UNION ALL “) or (upper(http.request.uri.query)contains ” SELECT “) or (http.request.uri.query contains “$_GLOBALS[“) or (http.request.uri.query contains “$_REQUEST[“) or (http.request.uri.query contains “$_POST[“)

I wish i could claim credit for these incredible tips, but credit should be directed to https://www.kazimer.com/how-to-protect-wordpress-with-cloudflare-firewall-rules/

Prev Topaz Labs Workflow
Next Alternatives to Lightroom

Comments are closed.

Right click has been disabled on this site.