Security Wordpress Protection Like Eset Smart Security Firewall

Ok. The main reason I’m starting this is that I feel like there is a need for it. (I apologize if someone already started this) And I’m just learning about this.
I’m the type of guy who likes to see what does Cloudflare has to offer in terms of Firewall for FREE users. Because I’ve been using Eset smart security in advance mode I like the idea about what’s going in and out when it comes to Computer Firewall.

If any of those setting a wrong please let us know

Page Rule
FREE USERS

Unless someone can tell us here if there is better protection for the page rule we want to hear it from you. :stuck_out_tongue:

1. Secure The WordPress Admin And Bypass Cache

WordPress Admin should combine into 1-page rule. This sets the Firewall Security to high and bypasses Cloudflare’s cache (the admin area should never be cached). It also disables Cloudflare apps and performance features (minify, Rocket Loader, Mirage, Polish) inside the admin since these are only used to speed up the front end of your site.

yourwebsite.com/wp-admin*

2. Decrease Bandwidth Of WP Uploads

Since items in your WordPress uploads file do not change frequently, you don’t have to cache them as often which saves bandwidth by setting Edge Cache TTL to a month. If you need to update certain files/directories before a month, you can purge the individual files in Cloudflare.

In this page rule and future ones in this post, the browser cache TTL is set to a day. This sets the expiration time for resources cached in a visitor’s browser, an item often shown in GTmetrix.

yourwebsite.com/wp-content/uploads*

3. Stop Bots From Collecting Your Email

This page rule enables email obfuscation on your contact page which hides your email address from bots (so they don’t send you spam). The email address will still be visible to humans. You should enable email obfuscation on any page that contains your email address to prevent spam, or turn it on globally in Cloudflare’s Scrape Shield settings. You can change this to be any page.

yourwebsite.com/contact

=========================================================================

Since this is a web-based firewall those are the setting I have for the Cloudflare firewall:

IP Acess Rules:

Tighten your security so only you can access WordPress:

  • Whitelist your exact IP address. (if your ISP grants you a static IP)

  • If your IP changes. (you will need to reenter or you get locked out of your WordPress admin area)

  • Whitelist your ISP’s entire IP range. (Good choice if you have a dynamic IP.)

  • Whitelist your country. (Won’t protect attacks in your own country.)

(If anyone can help with the IP range as I haven’t tried this yet 198.105.244.130)

Firewall Rules Updated 24/11/21

Guide to 4 Rules

=========================================================================

1. Protect the wp-admin Area

Login Protection

(http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-admin/”) or (http.request.uri.path contains “/wp-admin/admin-ajax.php”) or (http.request.uri.path contains “/wp-admin/theme-editor.php”)

xmlrpc.php is a common attack target. XML-RPC has legitimate uses, such as blogging from a smartphone or posting content to multiple WordPress sites at once.

If you have CP for your website with a firewall you will notice that IPs from all over the world trying to access your wp-login.php file. You will be protected by this.

=============================================================================

2. Bots

(http.user_agent contains “360Spider”) or (http.user_agent contains “acapbot”) or (http.user_agent contains “acoonbot”) or (http.user_agent contains “ahrefs”) or (http.user_agent contains “alexibot”) or (http.user_agent contains “attackbot”) or (http.user_agent contains “backdorbot”) or (http.user_agent contains “becomebot”) or (http.user_agent contains “blackwidow”) or (http.user_agent contains “blekkobot”) or (http.user_agent contains “blowfish”) or (http.user_agent contains “bullseye”) or (http.user_agent contains “bunnys”) or (http.user_agent contains “butterfly”) or (http.user_agent contains “careerbot”) or (http.user_agent contains “casper”) or (http.user_agent contains “checkpriv”) or (http.user_agent contains “cheesebot”) or (http.user_agent contains “chinaclaw”) or (http.user_agent contains “choppy”) or (http.user_agent contains “cmsworld”) or (http.user_agent contains “copyrightcheck”) or (http.user_agent contains “datacha”) or (http.user_agent contains “demon”) or (http.user_agent contains “discobot”) or (http.user_agent contains “dotbot”) or (http.user_agent contains “dotnetdotcom”) or (http.user_agent contains “dumbot”) or (http.user_agent contains “emailcollector”) or (http.user_agent contains “emailsiphon”) or (http.user_agent contains “emailwolf”) or (http.user_agent contains “exabot”) or (http.user_agent contains “extract”) or (http.user_agent contains “eyenetie”) or (http.user_agent contains “feedfinder”) or (http.user_agent contains “flaming”) or (http.user_agent contains “foobot”) or (http.user_agent contains “g00g1e”) or (http.user_agent contains “gigabot”) or (http.user_agent contains “go-ahead-got”) or (http.user_agent contains “gozilla”) or (http.user_agent contains “grabnet”) or (http.user_agent contains “harvest”) or (http.user_agent contains “httrack”) or (http.user_agent contains “jetbot”) or (http.user_agent contains “jikespider”) or (http.user_agent contains “kmccrew”) or (http.user_agent eq “leechftp”) or (http.user_agent contains “linkextractor”) or (http.user_agent contains “linkscan”) or (http.user_agent contains “linkwalker”) or (http.user_agent contains “loader”) or (http.user_agent contains “masscan”) or (http.user_agent contains “miner”) or (http.user_agent contains “majestic”) or (http.user_agent contains “mechanize”) or (http.user_agent contains “netmechanic”) or (http.user_agent contains “netspider”) or (http.user_agent contains “ninja”) or (http.user_agent contains “octopus”) or (http.user_agent contains “pagegrabber”) or (http.user_agent contains “planetwork”) or (http.user_agent contains “postrank”) or (http.user_agent contains “proximic”) or (http.user_agent contains “purebot”) or (http.user_agent contains “pycurl”) or (http.user_agent contains “python”) or (http.user_agent contains “queryn”) or (http.user_agent contains “queryseeker”) or (http.user_agent contains “radiation”) or (http.user_agent contains “realdownload”) or (http.user_agent contains “rogerbot”) or (http.user_agent contains “scooter”) or (http.user_agent contains “seekerspider”) or (http.user_agent contains “siclab”) or (http.user_agent contains “sindice”) or (http.user_agent contains “sitebot”) or (http.user_agent contains “siteexplorer”) or (http.user_agent contains “sitesnagger”) or (http.user_agent contains “smartdownload”) or (http.user_agent contains “sosospider”) or (http.user_agent contains “spankbot”) or (http.user_agent contains “spbot”) or (http.user_agent contains “sqlmap”) or (http.user_agent contains “stackrambler”) or (http.user_agent contains “stripper”) or (http.user_agent contains “sucker”) or (http.user_agent contains “suzukacz”) or (http.user_agent contains “suzuran”) or (http.user_agent contains “teleport”) or (http.user_agent contains “telesoft”) or (http.user_agent contains “true_robots”) or (http.user_agent contains “turingos”) or (http.user_agent contains “vampire”) or (http.user_agent contains “webwhacker”) or (http.user_agent contains “woxbot”) or (http.user_agent contains “xaldon”) or (http.user_agent contains “yamanalab”) or (http.user_agent contains “zmeu”)

==============================================================================

3. Block No-Referer Requests to Plugins

(http.request.uri.path contains “/wp-content/plugins/” and not http.referer contains “YOUR URL” and not cf.client.bot)

WordPress sites can get hacked if you have insecure plugins. You can also create a firewall rule blocking direct access to /wp-content/plugins/.

You do get some requests which come through your website Legitimate lines of “URL” as the HTTP referer and should be allowed. You may also want to allow known good bots (such as the Google crawler) just in case they try to index something—such as an image—inside your plugins folder.

=============================================================================

4. Reduce Spam by Blocking Direct Requests to wp-comments-post.php

(http.request.uri.path eq “/wp-comments-post.php” and http.request.method eq “POST” and not http.referer contains “YOUR URL”)

This will leave you with one extra Rule which you can share with us if you want.

Any issue please let us know :stuck_out_tongue:

Guide for extra Protection
Web Firewall Protection

You’re blocking everything in the “themes” directory? I think that would break quite a few things on my sites. And blocking anything that’s not admin-ajax or not theme-editor?

Are you sure that rule isn’t doing any damage?

3 Likes

I’m pretty sure that your user agent blocking is doing nothing. It is not like firewall rules and reading that entire list as a single string. It is designed for blocking specific user agents and not bulk ones.

1 Like

The rule is blocking outside the UK for sure since I’m in the UK I don’t see any damage to the website.

It’s blocking that for sure so it’s using user_agent?

Is there a way to allow google and bing bots for this setup?

Building off what @sdayman:

Your Block Path rule is going to block all requests that don’t contain either /wp-admin/admin-ajax.php or /wp-admin/theme-editor.php which is what we are seeing in the screenshot.

2 Likes

Is that a good thing or bad?

Just to let you know it is going through that list

Looking at your rule again? How well does your site load including the admin section? It seems to me that the rule would cause everything to be blocked.

Having (http.request.uri.path contains “.php”) and (not http.request.uri.path contains “/wp-admin/admin-ajax.php”) seems like it would always evaluate to true causing the block.

What you are seeing in the screenshot is that request of the bot is blocked by the firewall rule Block Path and not through user agent blocking.

1 Like

This is what you would see if it was user agent blocking. Running curl -A "Block Me Cloudflare!" https://www.cyberjake.xyz

With a rule of:

Generates

1 Like

everything is loading fine no problem

Is this a good website to follow setting for Cloudflare

The above I was only allowing UK IP to access the website

1 Like

I would go with the below approach for a Free Cloudflare user which has got 5 rules, for example would look like this:

  1. to allow only my IP or server IP in some case, and some other stuff to allow related (if using mta-sts sub-domain and that for e-mail)
  2. to block WordPress related (block requests to upgrade.php with the exception of my own country so I could upgrade my WordPress regulary - I block all, but challange my country in 3rd one and have challenge possible for anything else) for it wp files, xmlrpc, wp-config, wlwmanifest, autodiscover, WP JSON path, Tor browser, HTTP/1.0 version, lost password query part of wp-login.php, etc.) and cPanel (or some other) things like blocking all ports except 80 and 443
  3. to challenge the request to the upgrade.php for WordPress fo each request (including my country) trying to open it (protecting from wpscan possibillity to figure out which WP version I am running either with removed query strings and wp generator meta tag)
  4. to block requests to wp-cron.php except my server IP and also any other .php file in any of the /wp-content/ directory and also to block user-agents (crawlers, bad bots etc.),
  5. to block file access by type (sql, gz, bak, .htaccess, etc.) including SQL injection protection (if URLs contain parts like DROP, SELECT, UNION, base64, etc.), passwd and etc probes, license.txt and readme.txt files (most plugins have them) and similar

May I suggest looking into my below post as it contains a lot of examples and external links for Firewall Rules on Cloudflare to protect WordPress at least for a bit:

Otherwise, I would choose Pro plan and enable Managed WAF Rules, tune a bit and have less worry about it :wink:

The idea was to have a guide for the rest of the users as well that are on WordPress.
I’m looking for someone on Cloudflare to break down this with code.

Firewall Rule:
1.
2.
3.
4.
5.

IP Access Rules

User-Agent Blocking

I’m nowhere near a computer web security expert I’m sure a lot of them are not.

I like that too.

I bet there cannot be a general rule of thumb to follow for all the same, but some sort of a scheme from my previous post, works for me at least and approx. 65 WordPress websites (not only WordPress) which I do host.

I cannot guarantee I would do it for free. Furthermore, there are resources which contain Firewall expressions which we can actualy use and combine into a single Firewall Rule.

Depends. I have 400+ blocked AS numbers, again, which may not be good for someone else.

Kindly, check my linked post, it contains other two or three posts (different topics) on User-agent blocking list and also the AS number lists - from other users whom posted them as original (just sharing further their great effort).

Ok updated the top content what I have so far

Remove all your rules and combine them into 1 rule, that will keep your options for other rules open.

WP Protection & NO-REFERER Plugin Block
(http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/inc/”) or (http.request.uri.path contains “/admin/”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains “/wp-admin/theme-editor.php”) or (http.request.uri.path contains “/wp-content/plugins/” and not http.referer contains “YOUR-DOMAIN” and not cf.client.bot)

Then how else will we know what’s blocking…on what path
Once I find more option to the list then I’ll update it…

Because it will show that url / file that triggered it. And after a while you don’t care nor look at it anymore, you just know that it will block. Now you have max 5 firewall rules in use and limiting yourself massively.

Login Protection + Content Protection joined for extra Rule.

Does anyone know if this list will work under

User-Agent Blocking

(http.user_agent contains “360Spider”) or (http.user_agent contains “acapbot”) or (http.user_agent contains “acoonbot”) or (http.user_agent contains “ahrefs”) or (http.user_agent contains “alexibot”) or (http.user_agent contains “attackbot”) or (http.user_agent contains “backdorbot”) or (http.user_agent contains “becomebot”) or (http.user_agent contains “blackwidow”) or (http.user_agent contains “blekkobot”) or (http.user_agent contains “blowfish”) or (http.user_agent contains “bullseye”) or (http.user_agent contains “bunnys”) or (http.user_agent contains “butterfly”) or (http.user_agent contains “careerbot”) or (http.user_agent contains “casper”) or (http.user_agent contains “checkpriv”) or (http.user_agent contains “cheesebot”) or (http.user_agent contains “chinaclaw”) or (http.user_agent contains “choppy”) or (http.user_agent contains “cmsworld”) or (http.user_agent contains “copyrightcheck”) or (http.user_agent contains “datacha”) or (http.user_agent contains “demon”) or (http.user_agent contains “discobot”) or (http.user_agent contains “dotbot”) or (http.user_agent contains “dotnetdotcom”) or (http.user_agent contains “dumbot”) or (http.user_agent contains “emailcollector”) or (http.user_agent contains “emailsiphon”) or (http.user_agent contains “emailwolf”) or (http.user_agent contains “exabot”) or (http.user_agent contains “extract”) or (http.user_agent contains “eyenetie”) or (http.user_agent contains “feedfinder”) or (http.user_agent contains “flaming”) or (http.user_agent contains “foobot”) or (http.user_agent contains “g00g1e”) or (http.user_agent contains “gigabot”) or (http.user_agent contains “go-ahead-got”) or (http.user_agent contains “gozilla”) or (http.user_agent contains “grabnet”) or (http.user_agent contains “harvest”) or (http.user_agent contains “httrack”) or (http.user_agent contains “jetbot”) or (http.user_agent contains “jikespider”) or (http.user_agent contains “kmccrew”) or (http.user_agent eq “leechftp”) or (http.user_agent contains “linkextractor”) or (http.user_agent contains “linkscan”) or (http.user_agent contains “linkwalker”) or (http.user_agent contains “loader”) or (http.user_agent contains “masscan”) or (http.user_agent contains “miner”) or (http.user_agent contains “majestic”) or (http.user_agent contains “mechanize”) or (http.user_agent contains “netmechanic”) or (http.user_agent contains “netspider”) or (http.user_agent contains “ninja”) or (http.user_agent contains “octopus”) or (http.user_agent contains “pagegrabber”) or (http.user_agent contains “planetwork”) or (http.user_agent contains “postrank”) or (http.user_agent contains “proximic”) or (http.user_agent contains “purebot”) or (http.user_agent contains “pycurl”) or (http.user_agent contains “python”) or (http.user_agent contains “queryn”) or (http.user_agent contains “queryseeker”) or (http.user_agent contains “radiation”) or (http.user_agent contains “realdownload”) or (http.user_agent contains “rogerbot”) or (http.user_agent contains “scooter”) or (http.user_agent contains “seekerspider”) or (http.user_agent contains “siclab”) or (http.user_agent contains “sindice”) or (http.user_agent contains “sitebot”) or (http.user_agent contains “siteexplorer”) or (http.user_agent contains “sitesnagger”) or (http.user_agent contains “smartdownload”) or (http.user_agent contains “sosospider”) or (http.user_agent contains “spankbot”) or (http.user_agent contains “spbot”) or (http.user_agent contains “sqlmap”) or (http.user_agent contains “stackrambler”) or (http.user_agent contains “stripper”) or (http.user_agent contains “sucker”) or (http.user_agent contains “suzukacz”) or (http.user_agent contains “suzuran”) or (http.user_agent contains “teleport”) or (http.user_agent contains “telesoft”) or (http.user_agent contains “true_robots”) or (http.user_agent contains “turingos”) or (http.user_agent contains “vampire”) or (http.user_agent contains “webwhacker”) or (http.user_agent contains “woxbot”) or (http.user_agent contains “xaldon”) or (http.user_agent contains “yamanalab”) or (http.user_agent contains “zmeu”)