[FirewallTip] wp-dave's not here

This posting is part of a series on Cloudflare’s firewall engine and discusses rules which might make your site just a tad less welcoming to automated robots and crawlers.

wp-dave’s not here

Are you running WordPress? Then stop here :slight_smile:, this tip is only for those who do not run WordPress but are still getting these lovely, pointless requests looking for vulnerable WordPress installations to exploit.

Even if all the requests for /wp-login.php, /wp-admin, and /wp-content won’t do anything if you don’t use WordPress (and have no similar paths) they will still spam your server logs with 404s and it would be nice to filter them already on the proxy side, and that’s exactly what we are going to do.


(http.request.uri.path contains "/wp-")

Challenge or Block?

You are not running WordPress, right? You neither have any URLs which contain /wp-, right? If so you should just block those requests.

As always, don’t just copy/paste things and first evaluate if a new rule fits within your site setup and be careful when making such changes as they could break your site if not implemented with care. Also, pay attention to the order of the firewall rules as they are evaluated in order.

Ceterum censeo

Did you know? Flexible mode is insecure and should be deprecated for the sake of the security of the Internet.

Cast your vote at Header indicating encryption status of the origin connection and get more transparency and security on the Internet.