Wordpress Security Protection Firewall Recommended Settings

Is that a good thing or bad?

Just to let you know it is going through that list

Looking at your rule again? How well does your site load including the admin section? It seems to me that the rule would cause everything to be blocked.

Having (http.request.uri.path contains “.php”) and (not http.request.uri.path contains “/wp-admin/admin-ajax.php”) seems like it would always evaluate to true causing the block.

What you are seeing in the screenshot is that request of the bot is blocked by the firewall rule Block Path and not through user agent blocking.

1 Like

This is what you would see if it was user agent blocking. Running curl -A "Block Me Cloudflare!" https://www.cyberjake.xyz

With a rule of:

Generates

2 Likes

everything is loading fine no problem

Is this a good website to follow setting for Cloudflare

The above I was only allowing UK IP to access the website

2 Likes

I would go with the below approach for a Free Cloudflare user which has got 5 rules, for example would look like this:

  1. to allow only my IP or server IP in some case, and some other stuff to allow related (if using mta-sts sub-domain and that for e-mail)
  2. to block WordPress related (block requests to upgrade.php with the exception of my own country so I could upgrade my WordPress regulary - I block all, but challange my country in 3rd one and have challenge possible for anything else) for it wp files, xmlrpc, wp-config, wlwmanifest, autodiscover, WP JSON path, Tor browser, HTTP/1.0 version, lost password query part of wp-login.php, etc.) and cPanel (or some other) things like blocking all ports except 80 and 443
  3. to challenge the request to the upgrade.php for WordPress fo each request (including my country) trying to open it (protecting from wpscan possibillity to figure out which WP version I am running either with removed query strings and wp generator meta tag)
  4. to block requests to wp-cron.php except my server IP and also any other .php file in any of the /wp-content/ directory and also to block user-agents (crawlers, bad bots etc.),
  5. to block file access by type (sql, gz, bak, .htaccess, etc.) including SQL injection protection (if URLs contain parts like DROP, SELECT, UNION, base64, etc.), passwd and etc probes, license.txt and readme.txt files (most plugins have them) and similar

May I suggest looking into my below post as it contains a lot of examples and external links for Firewall Rules on Cloudflare to protect WordPress at least for a bit:

Otherwise, I would choose Pro plan and enable Managed WAF Rules, tune a bit and have less worry about it :wink:

1 Like

The idea was to have a guide for the rest of the users as well that are on WordPress.
I’m looking for someone on Cloudflare to break down this with code.

Firewall Rule:
1.
2.
3.
4.
5.

IP Access Rules

User-Agent Blocking

I’m nowhere near a computer web security expert I’m sure a lot of them are not.

1 Like

I like that too.

I bet there cannot be a general rule of thumb to follow for all the same, but some sort of a scheme from my previous post, works for me at least and approx. 65 WordPress websites (not only WordPress) which I do host.

I cannot guarantee I would do it for free. Furthermore, there are resources which contain Firewall expressions which we can actualy use and combine into a single Firewall Rule.

Depends. I have 400+ blocked AS numbers, again, which may not be good for someone else.

Kindly, check my linked post, it contains other two or three posts (different topics) on User-agent blocking list and also the AS number lists - from other users whom posted them as original (just sharing further their great effort).

Ok updated the top content what I have so far

Remove all your rules and combine them into 1 rule, that will keep your options for other rules open.

WP Protection & NO-REFERER Plugin Block
(http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/inc/”) or (http.request.uri.path contains “/admin/”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains “/wp-admin/theme-editor.php”) or (http.request.uri.path contains “/wp-content/plugins/” and not http.referer contains “YOUR-DOMAIN” and not cf.client.bot)

1 Like

Then how else will we know what’s blocking…on what path
Once I find more option to the list then I’ll update it…

Because it will show that url / file that triggered it. And after a while you don’t care nor look at it anymore, you just know that it will block. Now you have max 5 firewall rules in use and limiting yourself massively.

Login Protection + Content Protection joined for extra Rule.

Does anyone know if this list will work under

User-Agent Blocking

(http.user_agent contains “360Spider”) or (http.user_agent contains “acapbot”) or (http.user_agent contains “acoonbot”) or (http.user_agent contains “ahrefs”) or (http.user_agent contains “alexibot”) or (http.user_agent contains “attackbot”) or (http.user_agent contains “backdorbot”) or (http.user_agent contains “becomebot”) or (http.user_agent contains “blackwidow”) or (http.user_agent contains “blekkobot”) or (http.user_agent contains “blowfish”) or (http.user_agent contains “bullseye”) or (http.user_agent contains “bunnys”) or (http.user_agent contains “butterfly”) or (http.user_agent contains “careerbot”) or (http.user_agent contains “casper”) or (http.user_agent contains “checkpriv”) or (http.user_agent contains “cheesebot”) or (http.user_agent contains “chinaclaw”) or (http.user_agent contains “choppy”) or (http.user_agent contains “cmsworld”) or (http.user_agent contains “copyrightcheck”) or (http.user_agent contains “datacha”) or (http.user_agent contains “demon”) or (http.user_agent contains “discobot”) or (http.user_agent contains “dotbot”) or (http.user_agent contains “dotnetdotcom”) or (http.user_agent contains “dumbot”) or (http.user_agent contains “emailcollector”) or (http.user_agent contains “emailsiphon”) or (http.user_agent contains “emailwolf”) or (http.user_agent contains “exabot”) or (http.user_agent contains “extract”) or (http.user_agent contains “eyenetie”) or (http.user_agent contains “feedfinder”) or (http.user_agent contains “flaming”) or (http.user_agent contains “foobot”) or (http.user_agent contains “g00g1e”) or (http.user_agent contains “gigabot”) or (http.user_agent contains “go-ahead-got”) or (http.user_agent contains “gozilla”) or (http.user_agent contains “grabnet”) or (http.user_agent contains “harvest”) or (http.user_agent contains “httrack”) or (http.user_agent contains “jetbot”) or (http.user_agent contains “jikespider”) or (http.user_agent contains “kmccrew”) or (http.user_agent eq “leechftp”) or (http.user_agent contains “linkextractor”) or (http.user_agent contains “linkscan”) or (http.user_agent contains “linkwalker”) or (http.user_agent contains “loader”) or (http.user_agent contains “masscan”) or (http.user_agent contains “miner”) or (http.user_agent contains “majestic”) or (http.user_agent contains “mechanize”) or (http.user_agent contains “netmechanic”) or (http.user_agent contains “netspider”) or (http.user_agent contains “ninja”) or (http.user_agent contains “octopus”) or (http.user_agent contains “pagegrabber”) or (http.user_agent contains “planetwork”) or (http.user_agent contains “postrank”) or (http.user_agent contains “proximic”) or (http.user_agent contains “purebot”) or (http.user_agent contains “pycurl”) or (http.user_agent contains “python”) or (http.user_agent contains “queryn”) or (http.user_agent contains “queryseeker”) or (http.user_agent contains “radiation”) or (http.user_agent contains “realdownload”) or (http.user_agent contains “rogerbot”) or (http.user_agent contains “scooter”) or (http.user_agent contains “seekerspider”) or (http.user_agent contains “siclab”) or (http.user_agent contains “sindice”) or (http.user_agent contains “sitebot”) or (http.user_agent contains “siteexplorer”) or (http.user_agent contains “sitesnagger”) or (http.user_agent contains “smartdownload”) or (http.user_agent contains “sosospider”) or (http.user_agent contains “spankbot”) or (http.user_agent contains “spbot”) or (http.user_agent contains “sqlmap”) or (http.user_agent contains “stackrambler”) or (http.user_agent contains “stripper”) or (http.user_agent contains “sucker”) or (http.user_agent contains “suzukacz”) or (http.user_agent contains “suzuran”) or (http.user_agent contains “teleport”) or (http.user_agent contains “telesoft”) or (http.user_agent contains “true_robots”) or (http.user_agent contains “turingos”) or (http.user_agent contains “vampire”) or (http.user_agent contains “webwhacker”) or (http.user_agent contains “woxbot”) or (http.user_agent contains “xaldon”) or (http.user_agent contains “yamanalab”) or (http.user_agent contains “zmeu”)

As a Firewall Rule, yes, but only if it does not exceed 4096 characters as far as I remember the limit per rule.

The above one is 4072, which should be fine so far.

At least, I can add it “as-is” to my Firewall Rule using a CF Free plan.

And, just to add a note, use " " quota character instead of “ ” as far as you could get a warning pop-up message about error in expression.

Working one:

(http.user_agent contains "360Spider") or (http.user_agent contains "acapbot") or (http.user_agent contains "acoonbot") or (http.user_agent contains "ahrefs") or (http.user_agent contains "alexibot") or (http.user_agent contains "attackbot") or (http.user_agent contains "backdorbot") or (http.user_agent contains "becomebot") or (http.user_agent contains "blackwidow") or (http.user_agent contains "blekkobot") or (http.user_agent contains "blowfish") or (http.user_agent contains "bullseye") or (http.user_agent contains "bunnys") or (http.user_agent contains "butterfly") or (http.user_agent contains "careerbot") or (http.user_agent contains "casper") or (http.user_agent contains "checkpriv") or (http.user_agent contains "cheesebot") or (http.user_agent contains "chinaclaw") or (http.user_agent contains "choppy") or (http.user_agent contains "cmsworld") or (http.user_agent contains "copyrightcheck") or (http.user_agent contains "datacha") or (http.user_agent contains "demon") or (http.user_agent contains "discobot") or (http.user_agent contains "dotbot") or (http.user_agent contains "dotnetdotcom") or (http.user_agent contains "dumbot") or (http.user_agent contains "emailcollector") or (http.user_agent contains "emailsiphon") or (http.user_agent contains "emailwolf") or (http.user_agent contains "exabot") or (http.user_agent contains "extract") or (http.user_agent contains "eyenetie") or (http.user_agent contains "feedfinder") or (http.user_agent contains "flaming") or (http.user_agent contains "foobot") or (http.user_agent contains "g00g1e") or (http.user_agent contains "gigabot") or (http.user_agent contains "go-ahead-got") or (http.user_agent contains "gozilla") or (http.user_agent contains "grabnet") or (http.user_agent contains "harvest") or (http.user_agent contains "httrack") or (http.user_agent contains "jetbot") or (http.user_agent contains "jikespider") or (http.user_agent contains "kmccrew") or (http.user_agent eq "leechftp") or (http.user_agent contains "linkextractor") or (http.user_agent contains "linkscan") or (http.user_agent contains "linkwalker") or (http.user_agent contains "loader") or (http.user_agent contains "masscan") or (http.user_agent contains "miner") or (http.user_agent contains "majestic") or (http.user_agent contains "mechanize") or (http.user_agent contains "netmechanic") or (http.user_agent contains "netspider") or (http.user_agent contains "ninja") or (http.user_agent contains "octopus") or (http.user_agent contains "pagegrabber") or (http.user_agent contains "planetwork") or (http.user_agent contains "postrank") or (http.user_agent contains "proximic") or (http.user_agent contains "purebot") or (http.user_agent contains "pycurl") or (http.user_agent contains "python") or (http.user_agent contains "queryn") or (http.user_agent contains "queryseeker") or (http.user_agent contains "radiation") or (http.user_agent contains "realdownload") or (http.user_agent contains "rogerbot") or (http.user_agent contains "scooter") or (http.user_agent contains "seekerspider") or (http.user_agent contains "siclab") or (http.user_agent contains "sindice") or (http.user_agent contains "sitebot") or (http.user_agent contains "siteexplorer") or (http.user_agent contains "sitesnagger") or (http.user_agent contains "smartdownload") or (http.user_agent contains "sosospider") or (http.user_agent contains "spankbot") or (http.user_agent contains "spbot") or (http.user_agent contains "sqlmap") or (http.user_agent contains "stackrambler") or (http.user_agent contains "stripper") or (http.user_agent contains "sucker") or (http.user_agent contains "suzukacz") or (http.user_agent contains "suzuran") or (http.user_agent contains "teleport") or (http.user_agent contains "telesoft") or (http.user_agent contains "true_robots") or (http.user_agent contains "turingos") or (http.user_agent contains "vampire") or (http.user_agent contains "webwhacker") or (http.user_agent contains "woxbot") or (http.user_agent contains "xaldon") or (http.user_agent contains "yamanalab") or (http.user_agent contains "zmeu")
1 Like

I have put that info in this guide for the users here:

but just wanted to know how User-Agent Blocking works whats the layout for free users?

1 Like

I believe entering one by one, limited by 10 at Free plan - using Firewall Rules seems to be the better and the right way so far:

1 Like

Page Rule for FREE USERS updated on the page

1 Like

WP Rocket IP Allow List added

WordPress Caching Plugin

1 Like

Rules Transform Rules

HTTP Response Header Modification rule

Share but cover your IP and website :stuck_out_tongue:

Updated 13/12/21 :+1:

The code is working but getting display issues on the website anyone know the fix?
Is the above code correct?