I have been hunting down which should be the recommened wordpress directories to block/restrict to my IP only. via Cloudflare rules
I am aware of of blocking such as /wp-admin - /wp-login.php however, due to my low knowledge, even though I am aware of the dir’s I am not sure if blocking some of the others could stop things working or cause other issues. So I would like to ask if it also safe to block the folling via page rules and if there others recommeded I should add also
/wp-content/plugins/
/wp-content/uploads/
/wp-comments-post.php ??? I dont have comments on my site
/wp-content/themes/ ??
/wp-includes/
/wp-content/
/wp-activate.php
/wp-register.php
wp-*.php files ???
Should I add my own hosting server IP to allow for these files when blocking all others ?
Anything that is not related to your normal page load. Administrative URLs for example, /wp-content on the other hand will also be used by regular visitors.
However, being about Wordpress and not Cloudflare, that’s a question better for a Wordpress forum than here, I am afraid.
In the context of Cloudflare, you can block such requests with (http.request.uri.path in {""}) or also a list of contains. You need to exclude your own address - or even better use Cloudflare Lockdown or Access.
Your server should generally not send any requests to itself, even less so via the proxies. But if it does so, you will certainly have to allowlist that address as well, should that be a blocked address.
But those are really all very Wordpress specific questions and should be addressed in a Wordpress forum, as they’d be unfortunately off-topic for the forum here.