I was hoping some could let me know seeig I am using Cloudflare pro and I have access to the zonelock down.
Would it be better just to add. (based on recommended wordpress security for Cloudflare WAF users to add these to my zonelock rules (already locked down to my IP) or use the avalible Cloudflare rules
/wp-includes
/wp-content
Better to add to zone lock down or use rules ?
Also., When trying this simple basic rule. It breaks all the images on my site A few other people I know are using this exact rule without issues
There is not really a “better” as they both have a very similar purpose.
Lockdown rules have been around for a bit longer than firewall rules and you have three of them on a Pro plan. Firewall rules are newer and you can configure up to 20 on Pro. But as I mentioned, they are very similar with the difference that lockdown rules focus exclusively on paths and IP addresses, whereas firewall rules are a lot more flexible as you have an entire expression language where you can configure more complex scenarios. That may also make lockdown rules easier to configure in the UI.
If you haven’t used up all your firewall rules, it really does not matter and you can configure a firewall rule, otherwise you may want to use lockdown rules.
As for the example you provided, that is solely blocking based on the path, so that would not be related to lockdown rules in the first place. If it blocks too much you best take a look at the firewall event log to find out which requests were blocked and adjust your rule accordingly, in order not to block these paths.
