What Request to Block in Firewall for Wordpress and Normalize URLs

I have been beta testing blocking request (head, options, etc, but not get and post) and it seems to be going well with no downside. I have also been trying out normalizing the URLs to the origin and see no issues. If anyone has recommendations on the changes especially in Wordpress, I would definitely appreciate it and want to know before going live on all of my websites.

That is a good question out there.

I would say it cannot be stated as a general rule of thumb, as far as some WordPress websites do not have to use like POST or PUT (WP REST API, wp-json, plugins etc.), while other have to - just an example.

You could try to block TRACE & TRACK for example.

Or, if you could for example, limit HEAD, GET and POST for some specific IP or some similar scenario, where you protect your Website from bad bots, possible attacks, etc. in terms of security measurements.

Furthermore, for better security, HTTP/1.0 too as follows on some useful #tutorials here:

Or by using :search: :

If I may add here as a really good reference for further cases in terms of security and protection with Cloudflare:

Helpful articles about URL Normalization (just in case):

Regarding WordPress Firewall Rules & Security, may I suggest:

To your existing Firewall Rule if you want to block HTTP requests to the WordPress XML-RPC (usually known for DDoS, etc.):

  • (http.request.uri.path contains "xmlrpc.php")

Nevertheless, consider blocking some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts:

Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection:


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.