Wordpress Security Protection Firewall Recommended Settings

Ok. The main reason I’m starting this is that I feel like there is a need for it. (I apologize if someone already started this) And I’m just learning about this.
I’m the type of guy who likes to see what does Cloudflare has to offer in terms of Firewall for FREE users. Because I’ve been using Eset smart security in advance mode I like the idea about what’s going in and out when it comes to Computer Firewall.

=========================================================================

FREE SSL/TLS FULL (Strict)

SSL/TLS certificates (they are both the same) serve two purposes – they encrypt information that is sent over the internet and they provide identity assurance, both of which help online consumers to positively identify and trust websites that are safe to transact with

You have a choice here to go with FULL or FULL (Strict) please check your website as we found out some are having problems when they go with FULL (Strict)

=========================================================================

PCI Data Security Standard (PCI DSS) version 3.2 replaces version 3.1 to address growing threats to customer payment information . Companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches.
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Resource_Guide_(003).pdf

Any higher than 1.2 you don’t get indexed with bing search engine

=========================================================================

We understand that tightening the security for WordPress might increase response time.

Argo Tiered Cache will lower that response time.

=========================================================================

Scrape Shield

Protect content on your site

HotLink Protection (does not support next-gen images yet)
if you are on siteground you can do this.

OR

edit file .htaccess add this

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC] 
RewriteCond %{HTTP_REFERER} !^http://domain.com$ [NC]
RewriteRule .*.(jpg|jpeg|gif|png|bmp|webp)$ - [F,NC]

Replace **domain.com** with your actual domain name.

=========================================================================

WordPress Security Plugins

WordPress Security (Standard for Hosting Providers)

Since I’m using SiteGround If you have any other hosting providers that do the same to let us know.
They have the Standard Security laid out here:


This is the SiteGround plugin firewall that works out of the box you still need to enable those that suits your site.

Will go over some here as well.

Custom Login URL

This works wonders because attackers often try exploits on /wp-admin as a default login URL for WordPress. Change it to avoid these attacks and have an easily memorable login URL.

Login Access

Currently, your WordPress login can be accessed by any IP. You can limit access to specific IPs or a range of IPs in order to prevent brute-force attacks or malicious login attempts. (You can add it here or in Cloudflare access to one IP so that you can use it ONLY)

Two-factor Authentication for Admin & Editors Users

Two-factor authentication forces admin users to log in only after providing a token, generated from the Google Authenticator application. When you enable this option, all admin & editor users will be asked to configure their two-factor authentication in the Authenticator app on their next login.

Disable Common Usernames

Using common usernames like ‘admin’ is a security threat that often results in unauthorised access. By enabling this option we will disable the creation of common usernames and if you already have one or more users with a weak username, we’ll ask you to provide a new one(s).

Limit Login Attempts

Limit the number of times a given user can attempt to log in to your wp-admin with incorrect credentials. Once the login attempt limit is reached, the IP from which the attempts have originated will be blocked first for 1 hour. If the attempts continue after the first hour, the limit will then be triggered for 24 hours and then for 7 days.

=========================================================================

We believe that the hosting provider should also back you up when it comes to WordPress Security

This is for those that just want to add codes

Disable the WordPress plugin and theme editor with just a code:

WordPress root directory, in /public_html/ search for WordPress wp-config.php file
Once you’ve found the file, open it for editing and add the below code right before this line:
/* That's all, stop editing! Happy blogging. */ .

define( 'DISALLOW_FILE_EDIT', true );

Save the file and that’s it! The WordPress plugin and theme editor will be disabled.

Do You Need XML-RPC?

The file serves three primary functions:

  1. WordPress App – If you use the WordPress app on your mobile device to post to your site, you need XML-RPC. The app uses this function to communicate to your WordPress website by making a remote connection.

  2. Trackbacks and pingbacks – When you publish content, if you have provided a link to another blog or a website, this feature will alert the other website that you’ve linked to them. Trackbacks are created manually while pingbacks are automated. If you use these options, you need access to the XML-RPC.php file to be enabled.

  3. JetPack plugin – Jetpack is a popular plugin that is used by over 5 million WordPress sites. It offers services related to security, performance and site management. It uses XML-RPC to communicate with WordPress.com. If you’re a subscriber of JetPack, you need XML-RPC enabled.

Disable XML-RPC with code:

Sitemap File Manager:
If your website has a .htaccess file but you can’t see it, visit settings and click on ‘show hidden files.’
If your website doesn’t have an htaccess file, you can create one.
Your website’s folders should be under the folder named ‘public_html’
Search the file ‘htaccess’ here open the .htaccess file by right-clicking and choosing ‘Edit’.
Paste the following code that disables XML-RPC to this file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
 allow from xxx.xxx.xxx.xxx
</Files>

If you would like to retain XML-RPC from a particular IP, replace ‘xxx.xxx.xxx.xxx’ with your IP address, Otherwise, you can simply delete this line.

Save and close the file.

=========================================================================

WP Rocket IP Allow List

WP Rocket is a WordPress Caching Plugin that is used around the globe. Those are the IP need to be added to work well with Cloudflare.

License Validation/activation, Update Check, Plugin information:

146.59.192.120
https://wp-rocket.me

Load CSS Asynchronously

109.234.160.58
51.83.15.135
51.210.39.196
https://cpcss.wp-rocket.me/api/job/

Remove Unused CSS

135.125.83.227
https://central-saas.wp-rocket.me/

RocketCDN Subscription

146.59.251.59
https://rocketcdn.me/api/

If any of those setting a wrong please let us know

=========================================================================

Security Headers

This should give you A+ at https://securityheaders.com

If it has comment below with your image :+1: :stuck_out_tongue:

You can edit this via .htaccess and add this

<ifModule mod_headers.c>
Header set Strict-Transport-Security max-age=31536000; includeSubDomains
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin
Header set Content-Security-Policy upgrade-insecure-requests;
Header set Permissions-Policy: interest-cohort=()
</ifModule>

The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS).

=========================================================================

Rules Transform Rules

HTTP Response Header Modification rule

Header name

Strict-Transport-Security = max-age=31536000; includeSubDomains
X-XSS-Protection = "1; mode=block"
X-Content-Type-Options = nosniff
X-Frame-Options = SAMEORIGIN
Referrer-Policy: = strict-origin-when-cross-origin
Content-Security-Policy = upgrade-insecure-requests;
Permissions-Policy: = interest-cohort=()
Remove = Link

If there are any more security issues do let us know and like and share post :+1:
You can check if this is working at securityheaders.com

=========================================================================

Page Rule

FREE USERS

Unless someone can tell us here if there is better protection for the page rule we want to hear it from you. :stuck_out_tongue:

1. Secure The WordPress Admin And Bypass Cache

WordPress Admin should combine into 1-page rule. This sets the Firewall Security to high and bypasses Cloudflare’s cache (the admin area should never be cached). It also disables Cloudflare apps and performance features (minify, Rocket Loader, Mirage, Polish) inside the admin since these are only used to speed up the front end of your site.

yourwebsite.com/wp-admin*

2. Decrease Bandwidth Of WP Uploads

Since items in your WordPress uploads file do not change frequently, you don’t have to cache them as often which saves bandwidth by setting Edge Cache TTL to a month. If you need to update certain files/directories before a month, you can purge the individual files in Cloudflare.

In this page rule and future ones in this post, the browser cache TTL is set to a day. This sets the expiration time for resources cached in a visitor’s browser, an item often shown in GTmetrix.

yourwebsite.com/wp-content/uploads*

3. Stop Bots From Collecting Your Email

This page rule enables email obfuscation on your contact page which hides your email address from bots (so they don’t send you spam). The email address will still be visible to humans. You should enable email obfuscation on any page that contains your email address to prevent spam, or turn it on globally in Cloudflare’s Scrape Shield settings. You can change this to be any page.

yourwebsite.com/contact

=========================================================================

Since this is a web-based firewall those are the setting I have for the Cloudflare firewall:

IP Acess Rules:

Tighten your security so only you can access WordPress:

  • Whitelist your exact IP address. (if your ISP grants you a static IP)

  • If your IP changes. (you will need to reenter or you get locked out of your WordPress admin area)

  • Whitelist your ISP’s entire IP range. (Good choice if you have a dynamic IP.)

  • Whitelist your country. (Won’t protect attacks in your own country.)

(If anyone can help with the IP range as I haven’t tried this yet 198.105.244.130)

=========================================================================

Firewall Rules Updated 26/12/21

Guide to 4 Rules

=========================================================================

1. Protect the wp-admin Area

(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-admin/") or (http.request.uri.path contains "/wp-admin/admin-ajax.php") or (http.request.uri.path contains "/wp-admin/theme-editor.php")

xmlrpc.php is a common attack target. XML-RPC has legitimate uses, such as blogging from a smartphone or posting content to multiple WordPress sites at once.

If you have CP for your website with a firewall you will notice that IPs from all over the world trying to access your wp-login.php file. You will be protected by this.

=============================================================================

2. Bots (Still looking for the best rule for this leave a comment below if you know any)

I would like to thank users that made this possible
fritex Rocky.sy sdayman and all the rest I haven’t added

(http.user_agent contains "bot" and http.user_agent contains "Bot" and not cf.client.bot) or (not http.user_agent contains "Googlebot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Slurp" and not http.user_agent contains "DuckDuckBot")

This allows only

Google, Bing, Yahoo and Duck Duck Search engine

=============================================================================
You can choose to use this list below

(http.user_agent contains "360Spider") or (http.user_agent contains "acapbot") or (http.user_agent contains "acoonbot") or (http.user_agent contains "ahrefs") or (http.user_agent contains "alexibot") or (http.user_agent contains "attackbot") or (http.user_agent contains "backdorbot") or (http.user_agent contains "becomebot") or (http.user_agent contains "blackwidow") or (http.user_agent contains "blekkobot") or (http.user_agent contains "blowfish") or (http.user_agent contains "bullseye") or (http.user_agent contains "bunnys") or (http.user_agent contains "butterfly") or (http.user_agent contains "careerbot") or (http.user_agent contains "casper") or (http.user_agent contains "checkpriv") or (http.user_agent contains "cheesebot") or (http.user_agent contains "chinaclaw") or (http.user_agent contains "choppy") or (http.user_agent contains "cmsworld") or (http.user_agent contains "copyrightcheck") or (http.user_agent contains "datacha") or (http.user_agent contains "demon") or (http.user_agent contains "discobot") or (http.user_agent contains "dotbot") or (http.user_agent contains "dotnetdotcom") or (http.user_agent contains "dumbot") or (http.user_agent contains "emailcollector") or (http.user_agent contains "emailsiphon") or (http.user_agent contains "emailwolf") or (http.user_agent contains "exabot") or (http.user_agent contains "extract") or (http.user_agent contains "eyenetie") or (http.user_agent contains "feedfinder") or (http.user_agent contains "flaming") or (http.user_agent contains "foobot") or (http.user_agent contains "g00g1e") or (http.user_agent contains "gigabot") or (http.user_agent contains "go-ahead-got") or (http.user_agent contains "gozilla") or (http.user_agent contains "grabnet") or (http.user_agent contains "harvest") or (http.user_agent contains "httrack") or (http.user_agent contains "jetbot") or (http.user_agent contains "jikespider") or (http.user_agent contains "kmccrew") or (http.user_agent eq "leechftp") or (http.user_agent contains "linkextractor") or (http.user_agent contains "linkscan") or (http.user_agent contains "linkwalker") or (http.user_agent contains "loader") or (http.user_agent contains "masscan") or (http.user_agent contains "miner") or (http.user_agent contains "majestic") or (http.user_agent contains "mechanize") or (http.user_agent contains "netmechanic") or (http.user_agent contains "netspider") or (http.user_agent contains "ninja") or (http.user_agent contains "octopus") or (http.user_agent contains "pagegrabber") or (http.user_agent contains "planetwork") or (http.user_agent contains "postrank") or (http.user_agent contains "proximic") or (http.user_agent contains "purebot") or (http.user_agent contains "pycurl") or (http.user_agent contains "python") or (http.user_agent contains "queryn") or (http.user_agent contains "queryseeker") or (http.user_agent contains "radiation") or (http.user_agent contains "realdownload") or (http.user_agent contains "rogerbot") or (http.user_agent contains "scooter") or (http.user_agent contains "seekerspider") or (http.user_agent contains "siclab") or (http.user_agent contains "sindice") or (http.user_agent contains "sitebot") or (http.user_agent contains "siteexplorer") or (http.user_agent contains "sitesnagger") or (http.user_agent contains "smartdownload") or (http.user_agent contains "sosospider") or (http.user_agent contains "spankbot") or (http.user_agent contains "spbot") or (http.user_agent contains "sqlmap") or (http.user_agent contains "stackrambler") or (http.user_agent contains "stripper") or (http.user_agent contains "sucker") or (http.user_agent contains "suzukacz") or (http.user_agent contains "suzuran") or (http.user_agent contains "teleport") or (http.user_agent contains "telesoft") or (http.user_agent contains "true_robots") or (http.user_agent contains "turingos") or (http.user_agent contains "vampire") or (http.user_agent contains "webwhacker") or (http.user_agent contains "woxbot") or (http.user_agent contains "xaldon") or (http.user_agent contains "yamanalab") or (http.user_agent contains "zmeu")

=============================================================================

3. Threat Score Challenge

(cf.threat_score ge 10)

=============================================================================

4. Threat Score Challenge Block

(cf.threat_score ge 20)

=============================================================================

5. Block No-Referer Requests to Plugins

(http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "gamingpcbundle.co.uk" and not cf.client.bot)

WordPress sites can get hacked if you have insecure plugins. You can also create a firewall rule blocking direct access to /wp-content/plugins/.

You do get some requests which come through your website Legitimate lines of “URL” as the HTTP referer and should be allowed. You may also want to allow known good bots (such as the Google crawler) just in case they try to index something—such as an image—inside your plugins folder.

=============================================================================

Any issue please let us know :stuck_out_tongue:

Guide for extra Protection
Web Firewall Protection

2 Likes

You’re blocking everything in the “themes” directory? I think that would break quite a few things on my sites. And blocking anything that’s not admin-ajax or not theme-editor?

Are you sure that rule isn’t doing any damage?

4 Likes

I’m pretty sure that your user agent blocking is doing nothing. It is not like firewall rules and reading that entire list as a single string. It is designed for blocking specific user agents and not bulk ones.

2 Likes

The rule is blocking outside the UK for sure since I’m in the UK I don’t see any damage to the website.

It’s blocking that for sure so it’s using user_agent?

Is there a way to allow google and bing bots for this setup?

Building off what @sdayman:

Your Block Path rule is going to block all requests that don’t contain either /wp-admin/admin-ajax.php or /wp-admin/theme-editor.php which is what we are seeing in the screenshot.

3 Likes

Is that a good thing or bad?

Just to let you know it is going through that list

Looking at your rule again? How well does your site load including the admin section? It seems to me that the rule would cause everything to be blocked.

Having (http.request.uri.path contains “.php”) and (not http.request.uri.path contains “/wp-admin/admin-ajax.php”) seems like it would always evaluate to true causing the block.

What you are seeing in the screenshot is that request of the bot is blocked by the firewall rule Block Path and not through user agent blocking.

1 Like

This is what you would see if it was user agent blocking. Running curl -A "Block Me Cloudflare!" https://www.cyberjake.xyz

With a rule of:

Generates

2 Likes

everything is loading fine no problem

Is this a good website to follow setting for Cloudflare

The above I was only allowing UK IP to access the website

2 Likes

I would go with the below approach for a Free Cloudflare user which has got 5 rules, for example would look like this:

  1. to allow only my IP or server IP in some case, and some other stuff to allow related (if using mta-sts sub-domain and that for e-mail)
  2. to block WordPress related (block requests to upgrade.php with the exception of my own country so I could upgrade my WordPress regulary - I block all, but challange my country in 3rd one and have challenge possible for anything else) for it wp files, xmlrpc, wp-config, wlwmanifest, autodiscover, WP JSON path, Tor browser, HTTP/1.0 version, lost password query part of wp-login.php, etc.) and cPanel (or some other) things like blocking all ports except 80 and 443
  3. to challenge the request to the upgrade.php for WordPress fo each request (including my country) trying to open it (protecting from wpscan possibillity to figure out which WP version I am running either with removed query strings and wp generator meta tag)
  4. to block requests to wp-cron.php except my server IP and also any other .php file in any of the /wp-content/ directory and also to block user-agents (crawlers, bad bots etc.),
  5. to block file access by type (sql, gz, bak, .htaccess, etc.) including SQL injection protection (if URLs contain parts like DROP, SELECT, UNION, base64, etc.), passwd and etc probes, license.txt and readme.txt files (most plugins have them) and similar

May I suggest looking into my below post as it contains a lot of examples and external links for Firewall Rules on Cloudflare to protect WordPress at least for a bit:

Otherwise, I would choose Pro plan and enable Managed WAF Rules, tune a bit and have less worry about it :wink:

1 Like

The idea was to have a guide for the rest of the users as well that are on WordPress.
I’m looking for someone on Cloudflare to break down this with code.

Firewall Rule:
1.
2.
3.
4.
5.

IP Access Rules

User-Agent Blocking

I’m nowhere near a computer web security expert I’m sure a lot of them are not.

1 Like

I like that too.

I bet there cannot be a general rule of thumb to follow for all the same, but some sort of a scheme from my previous post, works for me at least and approx. 65 WordPress websites (not only WordPress) which I do host.

I cannot guarantee I would do it for free. Furthermore, there are resources which contain Firewall expressions which we can actualy use and combine into a single Firewall Rule.

Depends. I have 400+ blocked AS numbers, again, which may not be good for someone else.

Kindly, check my linked post, it contains other two or three posts (different topics) on User-agent blocking list and also the AS number lists - from other users whom posted them as original (just sharing further their great effort).

Ok updated the top content what I have so far

Remove all your rules and combine them into 1 rule, that will keep your options for other rules open.

WP Protection & NO-REFERER Plugin Block
(http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/inc/”) or (http.request.uri.path contains “/admin/”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains “/wp-admin/theme-editor.php”) or (http.request.uri.path contains “/wp-content/plugins/” and not http.referer contains “YOUR-DOMAIN” and not cf.client.bot)

1 Like

Then how else will we know what’s blocking…on what path
Once I find more option to the list then I’ll update it…

Because it will show that url / file that triggered it. And after a while you don’t care nor look at it anymore, you just know that it will block. Now you have max 5 firewall rules in use and limiting yourself massively.

Login Protection + Content Protection joined for extra Rule.

Does anyone know if this list will work under

User-Agent Blocking

(http.user_agent contains “360Spider”) or (http.user_agent contains “acapbot”) or (http.user_agent contains “acoonbot”) or (http.user_agent contains “ahrefs”) or (http.user_agent contains “alexibot”) or (http.user_agent contains “attackbot”) or (http.user_agent contains “backdorbot”) or (http.user_agent contains “becomebot”) or (http.user_agent contains “blackwidow”) or (http.user_agent contains “blekkobot”) or (http.user_agent contains “blowfish”) or (http.user_agent contains “bullseye”) or (http.user_agent contains “bunnys”) or (http.user_agent contains “butterfly”) or (http.user_agent contains “careerbot”) or (http.user_agent contains “casper”) or (http.user_agent contains “checkpriv”) or (http.user_agent contains “cheesebot”) or (http.user_agent contains “chinaclaw”) or (http.user_agent contains “choppy”) or (http.user_agent contains “cmsworld”) or (http.user_agent contains “copyrightcheck”) or (http.user_agent contains “datacha”) or (http.user_agent contains “demon”) or (http.user_agent contains “discobot”) or (http.user_agent contains “dotbot”) or (http.user_agent contains “dotnetdotcom”) or (http.user_agent contains “dumbot”) or (http.user_agent contains “emailcollector”) or (http.user_agent contains “emailsiphon”) or (http.user_agent contains “emailwolf”) or (http.user_agent contains “exabot”) or (http.user_agent contains “extract”) or (http.user_agent contains “eyenetie”) or (http.user_agent contains “feedfinder”) or (http.user_agent contains “flaming”) or (http.user_agent contains “foobot”) or (http.user_agent contains “g00g1e”) or (http.user_agent contains “gigabot”) or (http.user_agent contains “go-ahead-got”) or (http.user_agent contains “gozilla”) or (http.user_agent contains “grabnet”) or (http.user_agent contains “harvest”) or (http.user_agent contains “httrack”) or (http.user_agent contains “jetbot”) or (http.user_agent contains “jikespider”) or (http.user_agent contains “kmccrew”) or (http.user_agent eq “leechftp”) or (http.user_agent contains “linkextractor”) or (http.user_agent contains “linkscan”) or (http.user_agent contains “linkwalker”) or (http.user_agent contains “loader”) or (http.user_agent contains “masscan”) or (http.user_agent contains “miner”) or (http.user_agent contains “majestic”) or (http.user_agent contains “mechanize”) or (http.user_agent contains “netmechanic”) or (http.user_agent contains “netspider”) or (http.user_agent contains “ninja”) or (http.user_agent contains “octopus”) or (http.user_agent contains “pagegrabber”) or (http.user_agent contains “planetwork”) or (http.user_agent contains “postrank”) or (http.user_agent contains “proximic”) or (http.user_agent contains “purebot”) or (http.user_agent contains “pycurl”) or (http.user_agent contains “python”) or (http.user_agent contains “queryn”) or (http.user_agent contains “queryseeker”) or (http.user_agent contains “radiation”) or (http.user_agent contains “realdownload”) or (http.user_agent contains “rogerbot”) or (http.user_agent contains “scooter”) or (http.user_agent contains “seekerspider”) or (http.user_agent contains “siclab”) or (http.user_agent contains “sindice”) or (http.user_agent contains “sitebot”) or (http.user_agent contains “siteexplorer”) or (http.user_agent contains “sitesnagger”) or (http.user_agent contains “smartdownload”) or (http.user_agent contains “sosospider”) or (http.user_agent contains “spankbot”) or (http.user_agent contains “spbot”) or (http.user_agent contains “sqlmap”) or (http.user_agent contains “stackrambler”) or (http.user_agent contains “stripper”) or (http.user_agent contains “sucker”) or (http.user_agent contains “suzukacz”) or (http.user_agent contains “suzuran”) or (http.user_agent contains “teleport”) or (http.user_agent contains “telesoft”) or (http.user_agent contains “true_robots”) or (http.user_agent contains “turingos”) or (http.user_agent contains “vampire”) or (http.user_agent contains “webwhacker”) or (http.user_agent contains “woxbot”) or (http.user_agent contains “xaldon”) or (http.user_agent contains “yamanalab”) or (http.user_agent contains “zmeu”)