My WAF Firewall rules for Wordpress and static sites

Here are the Firewall rules I use on my Wordpress and static sites, happy to get feedback.

Block HTTP POSTs from Tor. This often results in contact form spam.

(http.request.method eq "POST" and ip.geoip.country eq "T1")

Block access to the default Wordpress login page

(http.request.uri.path contains "/wp-login.php")

Block cookie-less access to the Wordpress admin pages

(http.request.uri.path eq "/wp-admin" or http.request.uri.path eq "/wp-admin/") and not http.cookie contains "wordpress_logged"

Block access to archives and backups in folders other than Wordpress ones

not http.request.uri.path contains "/wp-" and (http.request.uri.path contains ".zip" or http.request.uri.path contains ".sql" or http.request.uri.path contains ".gz" or http.request.uri.path contains ".bak" or http.request.uri.path contains ".tar")

Block access to PHP code in the Wordpress wp-content folder

(http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".php")

Block ASP access to a PHP site

(http.request.uri.path contains ".asp")

Block access to the Wordpress config file or potential clones and backups

(http.request.uri.path contains "/wp-config")

Block Wordpress XMLRPC POST floods

(http.request.uri.path contains "/xmlrpc.php" and http.request.method eq "POST")

Block access to anything other than existing assets on a very simple static page

!((http.request.uri.path eq "/") or (http.request.uri.path eq "/index.html") or (http.request.uri.path eq "/en") or (http.request.uri.path eq "/en/") or (http.request.uri.path eq "/en/index.html") or (http.request.uri.path eq "/robots.txt") or (http.request.uri.path contains "/feed") or (http.request.uri.path eq "/style.css") or (http.request.uri.path eq "/favicon.ico") or (http.request.uri.path contains "/images/") or (http.request.uri.path contains "/sitemap"))

Block unexpected HTTP request methods on a very simple static page

(http.request.method in {"POST" "PUT" "DELETE" "PATCH"})

Also posted on GitHub - dimitris-t/cloudflare-waf-rules: Cloudflare WAF rules to protect websites

1 Like

What is the point of the blocking XMLRPC POST and Blocking POSTs from Tor if you have a rule that is blocking all post requests. Seems redundant

Good question. The top rules are for Wordpress, the bottom two are for static sites.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.