My website is being hacked as shown below.
Can anyone guide me in setting up WAF against it?
Maybe try looking at Fail2ban.org . It reads your logs and can be connected to Cloudflare to ban directly at CF.
Thank you for asking.
From the screenshot you’re sharing, you can allow your origin host/server IP only to access the wp-cron.php file and block anyone else trying to by using a Firewall Rule and expression as follows:
(http.request.uri.path contains "wp-cron.php" and ip.src ne 126.96.36.199)
(if you do copy-paste of this, correct the double-quotes " " as you’d get a warning/error message it cannot parse something …)
Related to the WordPress, I’d suggest you to whitelist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.
It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin.
I’d suggest you to contact your hosting provider and make sure to scan & clean this firstly at the origin host, then proceed with the protection & security measures available to you at Cloudflare to block those “bad guys” out there using different methods at Cloudflare dashboard.
Install Wordfence or some other plugin too, check with ClamAV, scan database, scan files, update WP, themes, plugins, change passwords, scan with Sucuri and Imunify360, etc.
Since using WordPress, sharing here some helpful tips and tricks to protect your website with Cloudflare:
Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection: