Ok. The main reason I’m starting this is that I feel like there is a need for it. (I apologize if someone already started this) And I’m just learning about this.
I’m the type of guy who likes to see what does Cloudflare has to offer in terms of Firewall for FREE users. Because I’ve been using Eset smart security in advance mode I like the idea about what’s going in and out when it comes to Computer Firewall.
=========================================================================
FREE SSL/TLS FULL (Strict)
SSL/TLS certificates (they are both the same) serve two purposes – they encrypt information that is sent over the internet and they provide identity assurance, both of which help online consumers to positively identify and trust websites that are safe to transact with
You have a choice here to go with FULL or FULL (Strict) please check your website as we found out some are having problems when they go with FULL (Strict)
=========================================================================
PCI Data Security Standard (PCI DSS) version 3.2 replaces version 3.1 to address growing threats to customer payment information . Companies that accept, process or receive payments should adopt it as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches.
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Resource_Guide_(003).pdf
Any higher than 1.2 you don’t get indexed with bing search engine
=========================================================================
We understand that tightening the security for WordPress might increase response time.
Argo Tiered Cache will lower that response time.
=========================================================================
Scrape Shield
Protect content on your site
HotLink Protection (does not support next-gen images yet)
if you are on siteground you can do this.
OR
edit file .htaccess add this
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://domain.com$ [NC]
RewriteRule .*.(jpg|jpeg|gif|png|bmp|webp)$ - [F,NC]
Replace **domain.com** with your actual domain name.
=========================================================================
WordPress Security Plugins
WordPress Security (Standard for Hosting Providers)
Since I’m using SiteGround If you have any other hosting providers that do the same to let us know.
They have the Standard Security laid out here:
This is the SiteGround plugin firewall that works out of the box you still need to enable those that suits your site.
Will go over some here as well.
Custom Login URL
This works wonders because attackers often try exploits on /wp-admin as a default login URL for WordPress. Change it to avoid these attacks and have an easily memorable login URL.
Login Access
Currently, your WordPress login can be accessed by any IP. You can limit access to specific IPs or a range of IPs in order to prevent brute-force attacks or malicious login attempts. (You can add it here or in Cloudflare access to one IP so that you can use it ONLY)
Two-factor Authentication for Admin & Editors Users
Two-factor authentication forces admin users to log in only after providing a token, generated from the Google Authenticator application. When you enable this option, all admin & editor users will be asked to configure their two-factor authentication in the Authenticator app on their next login.
Disable Common Usernames
Using common usernames like ‘admin’ is a security threat that often results in unauthorised access. By enabling this option we will disable the creation of common usernames and if you already have one or more users with a weak username, we’ll ask you to provide a new one(s).
Limit Login Attempts
Limit the number of times a given user can attempt to log in to your wp-admin with incorrect credentials. Once the login attempt limit is reached, the IP from which the attempts have originated will be blocked first for 1 hour. If the attempts continue after the first hour, the limit will then be triggered for 24 hours and then for 7 days.
=========================================================================
We believe that the hosting provider should also back you up when it comes to WordPress Security
This is for those that just want to add codes
Disable the WordPress plugin and theme editor with just a code:
WordPress root directory, in /public_html/ search for WordPress wp-config.php file
Once you’ve found the file, open it for editing and add the below code right before this line:
/* That's all, stop editing! Happy blogging. */ .
define( 'DISALLOW_FILE_EDIT', true );
Save the file and that’s it! The WordPress plugin and theme editor will be disabled.
Do You Need XML-RPC?
The file serves three primary functions:
-
WordPress App – If you use the WordPress app on your mobile device to post to your site, you need XML-RPC. The app uses this function to communicate to your WordPress website by making a remote connection.
-
Trackbacks and pingbacks – When you publish content, if you have provided a link to another blog or a website, this feature will alert the other website that you’ve linked to them. Trackbacks are created manually while pingbacks are automated. If you use these options, you need access to the XML-RPC.php file to be enabled.
-
JetPack plugin – Jetpack is a popular plugin that is used by over 5 million WordPress sites. It offers services related to security, performance and site management. It uses XML-RPC to communicate with WordPress.com. If you’re a subscriber of JetPack, you need XML-RPC enabled.
Disable XML-RPC with code:
Sitemap File Manager:
If your website has a .htaccess file but you can’t see it, visit settings and click on ‘show hidden files.’
If your website doesn’t have an htaccess file, you can create one.
Your website’s folders should be under the folder named ‘public_html’
Search the file ‘htaccess’ here open the .htaccess file by right-clicking and choosing ‘Edit’.
Paste the following code that disables XML-RPC to this file:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
If you would like to retain XML-RPC from a particular IP, replace ‘xxx.xxx.xxx.xxx’ with your IP address, Otherwise, you can simply delete this line.
Save and close the file.
=========================================================================
WP Rocket IP Allow List
WP Rocket is a WordPress Caching Plugin that is used around the globe. Those are the IP need to be added to work well with Cloudflare.
License Validation/activation, Update Check, Plugin information:
146.59.192.120
https://wp-rocket.me
Load CSS Asynchronously
109.234.160.58
51.83.15.135
51.210.39.196
https://cpcss.wp-rocket.me/api/job/
Remove Unused CSS
135.125.83.227
https://central-saas.wp-rocket.me/
RocketCDN Subscription
146.59.251.59
https://rocketcdn.me/api/
If any of those setting a wrong please let us know
=========================================================================
Security Headers
This should give you A+ at https://securityheaders.com
If it has comment below with your image 
You can edit this via .htaccess and add this
<ifModule mod_headers.c>
Header set Strict-Transport-Security max-age=31536000; includeSubDomains
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin
Header set Content-Security-Policy upgrade-insecure-requests;
Header set Permissions-Policy: interest-cohort=()
</ifModule>
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS).
=========================================================================
Rules Transform Rules
HTTP Response Header Modification rule
Header name
Strict-Transport-Security = max-age=31536000; includeSubDomains
X-XSS-Protection = "1; mode=block"
X-Content-Type-Options = nosniff
X-Frame-Options = SAMEORIGIN
Referrer-Policy: = strict-origin-when-cross-origin
Content-Security-Policy = upgrade-insecure-requests;
Permissions-Policy: = interest-cohort=()
Remove = Link
If there are any more security issues do let us know and like and share post
You can check if this is working at securityheaders.com
=========================================================================
Page Rule
FREE USERS
Unless someone can tell us here if there is better protection for the page rule we want to hear it from you.
1. Secure The WordPress Admin And Bypass Cache
WordPress Admin should combine into 1-page rule. This sets the Firewall Security to high and bypasses Cloudflare’s cache (the admin area should never be cached). It also disables Cloudflare apps and performance features (minify, Rocket Loader, Mirage, Polish) inside the admin since these are only used to speed up the front end of your site.
yourwebsite.com/wp-admin*
2. Decrease Bandwidth Of WP Uploads
Since items in your WordPress uploads file do not change frequently, you don’t have to cache them as often which saves bandwidth by setting Edge Cache TTL to a month. If you need to update certain files/directories before a month, you can purge the individual files in Cloudflare.
In this page rule and future ones in this post, the browser cache TTL is set to a day. This sets the expiration time for resources cached in a visitor’s browser, an item often shown in GTmetrix.
yourwebsite.com/wp-content/uploads*
3. Stop Bots From Collecting Your Email
This page rule enables email obfuscation on your contact page which hides your email address from bots (so they don’t send you spam). The email address will still be visible to humans. You should enable email obfuscation on any page that contains your email address to prevent spam, or turn it on globally in Cloudflare’s Scrape Shield settings. You can change this to be any page.
yourwebsite.com/contact
=========================================================================
Since this is a web-based firewall those are the setting I have for the Cloudflare firewall:
IP Acess Rules:
Tighten your security so only you can access WordPress:
-
Whitelist your exact IP address. (if your ISP grants you a static IP)
-
If your IP changes. (you will need to reenter or you get locked out of your WordPress admin area)
-
Whitelist your ISP’s entire IP range. (Good choice if you have a dynamic IP.)
-
Whitelist your country. (Won’t protect attacks in your own country.)
(If anyone can help with the IP range as I haven’t tried this yet 198.105.244.130)
=========================================================================
Firewall Rules Updated 26/12/21
Guide to 4 Rules
=========================================================================
1. Protect the wp-admin Area
(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-admin/") or (http.request.uri.path contains "/wp-admin/admin-ajax.php") or (http.request.uri.path contains "/wp-admin/theme-editor.php")
xmlrpc.php is a common attack target. XML-RPC has legitimate uses, such as blogging from a smartphone or posting content to multiple WordPress sites at once.
If you have CP for your website with a firewall you will notice that IPs from all over the world trying to access your wp-login.php file. You will be protected by this.
=============================================================================
2. Bots (Still looking for the best rule for this leave a comment below if you know any)
I would like to thank users that made this possible
fritex Rocky.sy sdayman and all the rest I haven’t added
(http.user_agent contains "bot" and http.user_agent contains "Bot" and not cf.client.bot) or (not http.user_agent contains "Googlebot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Slurp" and not http.user_agent contains "DuckDuckBot")
This allows only
Google, Bing, Yahoo and Duck Duck Search engine
=============================================================================
You can choose to use this list below
(http.user_agent contains "360Spider") or (http.user_agent contains "acapbot") or (http.user_agent contains "acoonbot") or (http.user_agent contains "ahrefs") or (http.user_agent contains "alexibot") or (http.user_agent contains "attackbot") or (http.user_agent contains "backdorbot") or (http.user_agent contains "becomebot") or (http.user_agent contains "blackwidow") or (http.user_agent contains "blekkobot") or (http.user_agent contains "blowfish") or (http.user_agent contains "bullseye") or (http.user_agent contains "bunnys") or (http.user_agent contains "butterfly") or (http.user_agent contains "careerbot") or (http.user_agent contains "casper") or (http.user_agent contains "checkpriv") or (http.user_agent contains "cheesebot") or (http.user_agent contains "chinaclaw") or (http.user_agent contains "choppy") or (http.user_agent contains "cmsworld") or (http.user_agent contains "copyrightcheck") or (http.user_agent contains "datacha") or (http.user_agent contains "demon") or (http.user_agent contains "discobot") or (http.user_agent contains "dotbot") or (http.user_agent contains "dotnetdotcom") or (http.user_agent contains "dumbot") or (http.user_agent contains "emailcollector") or (http.user_agent contains "emailsiphon") or (http.user_agent contains "emailwolf") or (http.user_agent contains "exabot") or (http.user_agent contains "extract") or (http.user_agent contains "eyenetie") or (http.user_agent contains "feedfinder") or (http.user_agent contains "flaming") or (http.user_agent contains "foobot") or (http.user_agent contains "g00g1e") or (http.user_agent contains "gigabot") or (http.user_agent contains "go-ahead-got") or (http.user_agent contains "gozilla") or (http.user_agent contains "grabnet") or (http.user_agent contains "harvest") or (http.user_agent contains "httrack") or (http.user_agent contains "jetbot") or (http.user_agent contains "jikespider") or (http.user_agent contains "kmccrew") or (http.user_agent eq "leechftp") or (http.user_agent contains "linkextractor") or (http.user_agent contains "linkscan") or (http.user_agent contains "linkwalker") or (http.user_agent contains "loader") or (http.user_agent contains "masscan") or (http.user_agent contains "miner") or (http.user_agent contains "majestic") or (http.user_agent contains "mechanize") or (http.user_agent contains "netmechanic") or (http.user_agent contains "netspider") or (http.user_agent contains "ninja") or (http.user_agent contains "octopus") or (http.user_agent contains "pagegrabber") or (http.user_agent contains "planetwork") or (http.user_agent contains "postrank") or (http.user_agent contains "proximic") or (http.user_agent contains "purebot") or (http.user_agent contains "pycurl") or (http.user_agent contains "python") or (http.user_agent contains "queryn") or (http.user_agent contains "queryseeker") or (http.user_agent contains "radiation") or (http.user_agent contains "realdownload") or (http.user_agent contains "rogerbot") or (http.user_agent contains "scooter") or (http.user_agent contains "seekerspider") or (http.user_agent contains "siclab") or (http.user_agent contains "sindice") or (http.user_agent contains "sitebot") or (http.user_agent contains "siteexplorer") or (http.user_agent contains "sitesnagger") or (http.user_agent contains "smartdownload") or (http.user_agent contains "sosospider") or (http.user_agent contains "spankbot") or (http.user_agent contains "spbot") or (http.user_agent contains "sqlmap") or (http.user_agent contains "stackrambler") or (http.user_agent contains "stripper") or (http.user_agent contains "sucker") or (http.user_agent contains "suzukacz") or (http.user_agent contains "suzuran") or (http.user_agent contains "teleport") or (http.user_agent contains "telesoft") or (http.user_agent contains "true_robots") or (http.user_agent contains "turingos") or (http.user_agent contains "vampire") or (http.user_agent contains "webwhacker") or (http.user_agent contains "woxbot") or (http.user_agent contains "xaldon") or (http.user_agent contains "yamanalab") or (http.user_agent contains "zmeu")
=============================================================================
3. Threat Score Challenge
(cf.threat_score ge 10)
=============================================================================
4. Threat Score Challenge Block
(cf.threat_score ge 20)
=============================================================================
5. Block No-Referer Requests to Plugins
(http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "yourURL.co.uk" and not cf.client.bot)
WordPress sites can get hacked if you have insecure plugins. You can also create a firewall rule blocking direct access to /wp-content/plugins/.
You do get some requests which come through your website Legitimate lines of “URL” as the HTTP referer and should be allowed. You may also want to allow known good bots (such as the Google crawler) just in case they try to index something—such as an image—inside your plugins folder.
=============================================================================
Any issue please let us know
Guide for extra Protection
Web Firewall Protection
