Wordpress Lockdown rules broke site


I found some information on a website in regards to locking down wordpress. I used the follwing guide it and totally broke my website. I was hoping someone can confirm if this information is correct or maybe outdated?

FYI. I did not use this suggested expression below. I did it manually as suggested in the image above

(http.request.uri eq “/xmlrpc.php”) or (http.request.uri.path contains “/wp-content/” and not http.referer contains “yourwebsitehere.com”) or (http.request.uri.path contains “/wp-includes/” and not http.referer contains “yourwebsitehere.com”)

Referrer blocks are generally rarely a good idea. Clients are not obliged to send a referrer and, if they don’t, your rule will block those requests. You probably best include an empty referrer in your expression as well. This all is assuming yourwebsitehere.com is your actual domain.

What exactly do you want to achieve here?


I am just trying hardren wordpress with suggested WAF rules.

I was folloiwng this guide I found

[Cloudflare Firewall Rules for Securing WordPress Websites | GridPane](https:// gridpane. com /blog/Cloudflare-firewall-rules-for-securing-wordpress-websites/)

It seems to be working okay and I can already see blocks. Have I done something totally wrong here?

I ended up using the suggested expression

http.request.uri eq “/xmlrpc.php”) or (http.request.uri.path contains “/wp-content/” and not http.referer contains “yourwebsitehere.com”) or (http.request.uri.path contains “/wp-includes/” and not http.referer contains “yourwebsitehere.com”)

Can you purphas advise how this expression is done correctly if I have done it wrong and guide I have followed is incorrect ?

I have tested from external ips ect ect and things seem to be okay. I have very little knowledge of these things so I can only follow recommended guides. However, your response now has me doubting that I have done the wrong thing

I would advise against following random blogs out there, as they often provide incorrect information. Such as here, as this rule will block all requests which do not contain a referrer.

It’s best to familiarise yourself with Cloudflare’s rule engine - Ruleset Engine · Cloudflare Ruleset Engine docs - and then set up the rules you need for your particular setup. Your network administrator should be able to advise you here further.

Again, as for this particular expression you may want to allow empty referrers as well. But overall it really depends on what you want to achieve and “hardening Wordpress” is way too broad I am afraid.

Best thing really is to get to know how firewall rules work and apply that knowledge then.


I am just trying to protect both the /wp-includes and /wp-content directories as many suggest you should do,

I am not sure what you mean by empty referrer. And I don’t have a dev or or sec pro. I am on my own

Could you maybe suggest how the expression should be done correctly so I can copy and paste it ?

I understand, that’s why it is a particularly good opportunity to learn more about it, which is why I provided the link to the documentation.

Checking for an empty field is, for example, done via field eq "", respectively field ne "" if you want to check the other way round.

So, again, please check out the documentation and try to learn as much as you can about it. Then if there is a concrete expression where you have difficulties, we can definitely discuss that.


I am a journo, I dont really have time to learn highly complex security and firewall rules.

I only ask, if someione could provide and assist me with the correct expression to protect these two recommend paths. Of course I have checked much of the documention without yielding results of how to specifically protect these two paths .

Thanks anyway

That’s absolutely fair and in that case it will be best to hire a professional to do that.

You wrote you have tried a couple of things to adjust the expression. Can you post what you have tried, respectively how you integrated what I suggested earlier?

I would also suggest to check out https://community.cloudflare.com/search?q=[FirewallTip]%20in%3Atitle%20%23tutorials%20%40sandro as that may also have examples which you could use for your use case, but keep in mind you need to adjust them.

So my suggestion would be you post a screenshot of what exactly you have configured, including the mentioned adjustments, and explain how exactly it stopped your site from working. Based on that we can probably provide further advice.


Just wanted to know what the correct WAF expression was tio protect those two directires using cloudfare seing this is Cloudflare rule.

My personal IP is whitelisted in the access rules. So it would have been to make sure they were locked down to prevent abuse as many people suggest

But thanks for all the help. I will do what you suggest as in asking someone else outside Cloudflare about the correct Cloudflare setting,

All the best

I am afraid there is no one single correct rule, it really all depends on your particular use case, hence my original question.

The rules generally look all right, except for the empty referrer which I addressed. Still referrer based rules are generally not necessarily stable rules.


I appricate your suggestion. I really do. and thanks for time you took to explain that. However, due to my limted knowledge, underdstanding of manaully writing expresions, and failure to find what you suggested to do on cloudflares help pages. i only hoped someone might have simply corrected the expression I have used according to what you recommended.

Ill find someone to help me understand how to rewrite that expression according to your recommendation .

How to include : best include an empty referrer in your expression as well.


Sure thing, no worries :+1:t2:

Should you have any other Cloudflare-specific question, please feel free to ask, but also please use the search as most things have been already discussed and can be easily found via the search, respectively the documentation is a vast pool of information on most topics - https://developers.cloudflare.com

#tutorial also has lots of information.

Only other thing, Wordpress related questions should really go to a Wordpress forum as the forum here is for topics related directly to Cloudflare. Thanks.