Which part exactly? Are you getting blocked or?
Have you tried splitting it into smaller chunks and testing what you want to achieve?
Allow only your IP, onto what request, which, and where for the path or multiple files?
Are you able to filter out all countries except your own for wp-login and then JS Challenge even your country after all the others are blocked?
Cloudflare Access fits your needs if only you or a few members need access to WP login area:
Or it’s about public forum or board, or even some e-commerce webshop, and it’s not the case?
Below might help (sharing part from mine):
(http.request.uri.query contains "author" and not http.request.uri.path contains "wp-admin")
(http.request.uri.query contains "author_name")
Furthermore, disable /wp-json/
if not used in general, limit access to which parts of WP JSON should all or some be allowed to access (either logged-in users only, or some of the members, or noone) either via WordPress plugin or add part of the code into your functions.php file of your theme, or block access via WAF rule.
Block access to the /wp-json/wp/v2/users
via WAF rule via code example:
// REST API v1
add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');
remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );
remove_action( 'wp_head', 'wp_oembed_add_discovery_links', 10 );
wp_deregister_script('wp-embed');
remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 );
// REST API v2
//add_filter( 'json_enabled', '__return_false' );
//add_filter( 'json_jsonp_enabled', '__return_false' );
remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' );
add_filter('rest_endpoints', function($endpoints) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/posts'] ) ) {
unset( $endpoints['/wp/v2/posts'] );
}
if ( isset( $endpoints['/wp/v2/pages'] ) ) {
unset( $endpoints['/wp/v2/pages'] );
}
return $endpoints;
});
/*
* WP REST API JSON Endpoints
*/
function mytheme_only_allow_logged_in_rest_access( $access ) {
if( ! is_user_logged_in() ) {
return new WP_Error( 'rest_cannot_access', __( 'Only authenticated users can access the REST API.', 'disable-json-api' ), array( 'status' => rest_authorization_required_code() ) );
}
return $access;
}
//add_filter( 'rest_authentication_errors', 'mytheme_only_allow_logged_in_rest_access' );
BBQ Firewall has is lightweight and working:
Have you got Free or paid plan type like Pro? Pro has got great improvement in the WAF such as Managed Rules, OWASP and more which you can adjust and tune-up as needed.
(http.request.uri contains "?%00") or (http.request.uri contains "eval") or (http.request.uri contains "base64") or (http.request.uri contains "var_dump") or (http.request.uri contains "<script") or (http.request.uri contains "%3Cscript") or (http.request.full_uri contains "<?php") or (http.request.uri contains "GLOBALS") or (http.request.uri contains "REQUEST")
You can add up the DROP
for example, or %
, or SELECT(
, UNION(
etc.
Keep index.php files empty on directories and disable directory listing on your web server Apache or Nginx or some other.
Example as:
(http.request.uri contains "passwd") or (http.request.uri contains "../../")
Block empty user-agents and more:
(http.user_agent eq "" and not ip.src in {your_origin_webserver_ipadr})
Remember, you’re limited with 4096 characters per Custom WAF Rule, so in Free plan you have to combine to fit into the 5 rules in total, while with Pro plan you’ve got even more WAF rules (25), easier and better combinations and much better to go with Managed Rules which you can enable, disable and tune-up as needed with a single click, no need to worry about SQLi and more things.
Helpful:
Block ASNs directly via IP Access Rules and spare Custom WAF Rules:
More cool stuff here:
Depending how your web server is configured, is the URL structure using index.php such as Joomla or rather rewrites configured on index.php and it’s not seen in the URL address bar? (if accessing directly, it’ll be blocked, otherwise shouldn’t be blocked - you can block in such case)
Block HTTP/1.0 requests as well:
(http.request.version eq "HTTP/1.0")
Block TOR (T1) country:
(ip.geoip.country eq "T1")
Block direct access to any .php file inside wp-content (includes plugins, themes and uploads):
(http.request.uri.path contains ".php" and http.request.uri.path contains "/wp-content/")
Add Cloudflare Turnstile widget to your wp-login.php via plugin or manually:
Disable the user registration, remove unnecessary links from wp-login page - either with plugin or manually via functions.php of your active theme.
You can even test yourself, online WPScan, track your Security → Events, then block the ASN so noone can run tests from those online tools such as WPScan and similar.
Takes some time, but pays out once you’ve figure it out the WAF rules which fit your case
Anything else with which we could help?