Cloudflare Firewall Rules are custom rules that you can create to protect certain parts and files of your website.
If you subscribe to newsletters of WordPress security services, you will find that vulnerabilities have been found even in popular plugins such as SEOPress, WP Fastest Cache, WP Code, Elementor Pro, etc.
If you have a content site like mine, creating CloudFlare Firewall Rules will secure your sites better than some WordPress Security plugins do.
Cloudflare Firewall Rules protect sensitive areas or files and the only price that you will have to pay is a few minutes of your time.
I am gonna explain how to protect your WordPress site with CloudFlare Firewall Rules.
Table of Contents
- Types of Attacks Made to WordPress Websites
- Three Layers of Security
- Let’s Protect WordPress
- Approaches to Security with CloudFlare Firewall Rules
- A Better Approach to Security
- Whitelist your Home or Server IP Address
- Protect PHP Files using CloudFlare (Path Level)
- More File Extensions to Block (Path Level)
- Block Query Strings
- My CloudFlare Firewall Rules
- Frequently Asked Questions
- Conclusion
Types of Attacks Made to WordPress Websites
To Protect your WordPress website, you will have to protect your site at the:
- Path Level
- Query String Level.
Blocking attacks at the Path Level means that Attackers often attempt to exploit vulnerabilities in specific paths, such as:
https://example.com/wp-admin.php/Query string level refers to the parameters passed via URLs that can interact with your database or server. Attackers often exploit this level through SQL injection, cross-site scripting (XSS), and other similar attacks by inserting malicious code into query strings.
https://example.com/search?query=<script>alert('Hacked!');</script>Attackers also combine a targeted path, such as a login page, with a malicious query string to execute XSS attacks.
https://example.com/wp-login.php?redirect_to=<script>alert('Hacked!');</script>All attacks you may encounter, and which you should aim to mitigate, will be associated with malicious intentions targeting either the path or query string level.
Three Layers of Security
Let’s understand these concepts:
- CDN Security: Cloudflare provides a Content Delivery Network (CDN) that enhances your website’s security. CloudFlare Firewall Rules can stop most attacks
- Application security refers to the measures you take to protect your website. This includes practices like using strong, unique passwords, regularly updating your themes and plugins, and implementing security features such as application level firewalls and two-factor authentication.
- Server security focuses on securing the infrastructure that hosts your website. This includes configuring the server correctly, applying security updates, securing server files, using firewalls, and limiting server access to only authorized users.
So make the best (1) CloudFlare Firewall Rules possible (2) Learn about basic security measures with or without plugins (3) Use a reliable hosting provider and avoid shared hosting.
Let’s Protect WordPress
I know that people would expect to copy some rules and pretend that nothing will ever happen to their sites.
If you want to rely on rules created by others.
Download WordPress, unzip it the folder and explore what’s in there?
You don’t have to be a coder to understand that there are three main folders:
| #1 | wp-content |
| #2 | wp-admin |
| #3 | wp-include |
The root also includes files, most of them are PHP files.
- Do you where the images you upload to your site are stored?
- Where are the plugins installed?
You don’t need to be a coder to understand where things are on your WordPress installation.
If you go to your website, you can view the source code of your pages and you will see what CSS and Scripts make your website look and work the way they work.
The more you know about WordPress, the more that you will be able to protect it.
Approaches to Security with CloudFlare Firewall Rules
This is the most common approach:
You get obsessed with blocking access to certain sensitive files or areas of your site. You block access to php files, the .htaccess file, folders etc.
That takes a lot of work since you are not a hacker to know what hacker want.
If you check logs, you will also find out that sometimes bots scan for stuff exist on your site:
https://example.com/wp-admin.php/Bots also scan for stuff that might not be on your site like
https://example.com/wordpress.zipWhy do they that?
Because at some point, somebody was ignorant enough to store a backup on the root of his/her website.
It takes a lot of work to know what you don’t know.
A Better Approach to Security
A better approach is to learn the structure of your WordPress site well and then.
- Whitelist what you and your visitors need.
- Block access to everything else.
What do I mean by that?
- Whitelist the upload folder where images are.
- Whitelist the specific stylesheets and scripts your site need to look good and work.
- Block access to everything including a “.”
Make an effort to understand what your site is and don’t spend so much time thinking about what your site is not.
The best rules that you will be able to make won’t be the ones that you copy from someone else.
Whitelist your Home or Server IP Address
You have to whitelist some IP addresses to make sure you and others don’t get blocked by rules you are about to create
Add your IP address, allow it, and make sure this applies to all websites in your account and give the IP address access rule any name that you want.
Also, give the same treatment to your server IP address so CRON jobs are not blocked by CloudFlare.
If your home IP changes, do the process again and add your new home IP or Server IP.
You can also whitelist your country or Internet service provider
This doesn’t as part of your CloudFlare Rules.
If you have other ideas to whitelist legitimate user and traffic, you can create a rule for that too.
Protect PHP Files using CloudFlare (Path Level)
Go to your site on CloudFlare and then go to the Security, then WAF and then to Custom Rules
There you will find that you can create up to five CloudFlare Firewall Rules for free.
Take this into account:
- The rule name can be whatever you want
- There are plenty of options to choose from the “Field” drop-down menu,
- Choose URI Path.
- In Operator, choose “Contains”
- In Value, write .php
- And in action choose “Block”
This is how your CloudFlare Firewall rule should look:
The rule says that every time a request with the words .php is made, the visitor or bot will get blocked out from your site
This rule is protecting your default login pages, the wp-config file, the XML-RPC file, and the rest of the existing and non-existing PHP files on your WordPress sites.
To understand the importance of this rule, you can download WordPress from WordPress.org, unzip the file and see that most files from the installation are PHP files.
Most attacks to WordPress sites have to do with PHP files, so blocking access to those if visitors don’t need access to them is critical to your site security.
This is a report from WordFence in which the exploit have to do with a PHP file.
This is another report from WordFence telling users that .PHP were part of an attack campaign.
In case you have to let your users or a service have access to some .php files, consider whitelist the file.
For example, If you want to get post comments, create a firewall rule to whitelist wp-comments-post.php
If you want to learn more about why you should block access to PHP files, consider reading tip #3 from 13 extra things we do for better WordPress Security
More File Extensions to Block (Path Level)
You can create more rules to discourage bots from visiting your site but you have to figure that out yourself.
Let’s think that you don’t have any of these files types on your site, you can easily block them following the same steps from before.
| #1 | .zip |
| #2 | .rar |
| #3 | .bak |
| #4 | .bat |
| #5 | .htacc |
| #6 | .tar |
| #7 | .env |
| #8 | .tgz |
| #9 | .7z |
| #10 | .sql |
| #11 | .xz |
| #12 | .yml |
| #13 | .aws |
| #14 | .alfa |
| #15 | .zlib |
| #16 | .bk |
| #17 | .bz2 |
| #18 | .dat |
| #19 | .gz |
| #20 | .py |
| #21 | .jsp |
| #22 | .asp |
| #23 | .cgi |
| #24 | .bash |
| #25 | .dll |
| #26 | .hg |
| #27 | .git |
| #28 | .cfg |
| #29 | .mdb |
| #30 | .htpas |
| #31 | .pass |
| #32 | .out |
| #33 | .cmd |
| #34 | .swp |
| #35 | .exe |
| #36 | .ini |
| #37 | .phtml |
| #38 | .md |
| #39 | .axd |
| #40 | .log |
| #41 | .sqlite |
| #42 | .hash |
| #43 | .cfm |
| #44 | .txt |
| #45 | .html |
This is the expression in case you want to modify it:
(http.request.uri contains ".zip") or (http.request.uri contains ".rar") or (http.request.uri contains ".bak") or (http.request.uri contains ".bat") or (http.request.uri contains ".htacc") or (http.request.uri contains ".tar") or (http.request.uri contains ".env") or (http.request.uri contains ".tgz") or (http.request.uri contains ".7z") or (http.request.uri contains ".sql") or (http.request.uri contains ".xz") or (http.request.uri contains ".yml") or (http.request.uri contains ".aws") or (http.request.uri contains ".alfa") or (http.request.uri contains ".zlib") or (http.request.uri contains ".bk") or (http.request.uri contains ".bz2") or (http.request.uri contains ".dat") or (http.request.uri contains ".gz") or (http.request.uri contains ".py") or (http.request.uri contains ".jsp") or (http.request.uri contains ".asp") or (http.request.uri contains ".cgi") or (http.request.uri contains ".bash") or (http.request.uri contains ".dll") or (http.request.uri contains ".hg") or (http.request.uri contains ".git") or (http.request.uri contains ".cfg") or (http.request.uri contains ".mdb") or (http.request.uri contains ".htpas") or (http.request.uri contains ".pass") or (http.request.uri contains ".out") or (http.request.uri contains ".cmd") or (http.request.uri contains ".swp") or (http.request.uri contains ".exe") or (http.request.uri contains ".ini") or (http.request.uri contains ".phtml") or (http.request.uri contains ".md") or (http.request.uri contains ".axd") or (http.request.uri contains ".log") or (http.request.uri contains ".sqlite") or (http.request.uri contains ".hash") or (http.request.uri contains ".cfm") or (http.request.uri contains ".txt") or (http.request.uri contains ".html")I collected those from my Cloudflare firewall logs.
If you have to give access to files such as robots.txt, ads.txt or any other important, include them on the whitelist rule and let Cloudflare block the rest of them.
Block Query Strings
In case you might want to block malicious query strings, here are some keyword to block with your firewall.
| #1 | script |
| #2 | user |
| #3 | select |
| #4 | cast |
| #5 | concat |
| #6 | pass |
| #7 | shell |
| #8 | panel |
| #9 | passwd |
| #10 | config |
| #11 | md5 |
| #12 | flush |
| #13 | alert |
| #14 | password |
| #15 | union |
| #16 | from |
| #17 | convert |
| #18 | api |
| #19 | mod |
| #20 | eval |
| #21 | char |
| #22 | login |
| #23 | pwd |
| #24 | domain |
| #25 | author |
| #26 | var |
if you are using the query string option, you don’t have to worry about the word being present on your post URL.
(http.request.uri.query contains "script") or (http.request.uri.query contains "password") or (http.request.uri.query contains "user") or (http.request.uri.query contains "union") or (http.request.uri.query contains "select") or (http.request.uri.query contains "from") or (http.request.uri.query contains "cast") or (http.request.uri.query contains "convert") or (http.request.uri.query contains "concat") or (http.request.uri.query contains "api") or (http.request.uri.query contains "pass") or (http.request.uri.query contains "mod") or (http.request.uri.query contains "shell") or (http.request.uri.query contains "eval") or (http.request.uri.query contains "panel") or (http.request.uri.query contains "char") or (http.request.uri.query contains "passwd ") or (http.request.uri.query contains "login") or (http.request.uri.query contains "config ") or (http.request.uri.query contains "pwd") or (http.request.uri.query contains "md5") or (http.request.uri.query contains "domain") or (http.request.uri.query contains "flush") or (http.request.uri.query contains "alert") or (http.request.uri.query contains "attr=") or (http.request.uri.query contains "array")You can create a rule and then copy and paste the expression from above using the “Expression builder” option.
You can add it, deploy and remove words that might be blocking visitors.
As far as I know, If you have a content site, I don’t see why somebody would visit links containing those words but you never know.
Let me be honest here.
- Most query string attacks are blocked at the path level if you have a robust firewall.
- When it comes to query string attacks, you have to understand that those attacks can use encoded characters that will bypass the Firewall.
- So in addition to words, you should add some common character used for encoding.
- If you have a 100% with no forms connected to the database, consider redirecting all query strings to the URL at the path level.
My CloudFlare Firewall Rules
I have implemented several methods to secure my WordPress sites and these could change but this is probably my best foundation for the CloudFlare Firewall.
| Rule | Reason |
| #1 | Whitelist Files & Folders |
| #2 | Block Files & Folders |
| #3 | Firewall Log |
So this is what I do exactly:
I whitelist:
- All the styles and scripts my sites that load in the front-end
- Specific files such ads.txt or robots.txt
- Specific folders such as the folder with my images.
- Additional URL’s
I block access to:
- All extensions
- All WordPress root folders such as /wp-admin/, /wp-content/, /wp-includes/
I create a rule to log traffic so I can build an even more robust firewall.
So my approach is all about whitelisting and whatever is not whitelisted will be blocked.
Frequently Asked Questions
These are my answer to some of the questions you might have:
Do I Block Tor?
No, If you are legitimate user trying to check my content, I don’t care what browser you use.
Sometimes I use Tor.
If Tor is used for malicious purposes, my rules should be able to blocked those attacks.
Should I focus on Query Strings?
Malicious query strings are usually part of bot attacks, but most of them are blocked at the Path Level since they usually query string attacks w .php files
Do I Block User Agents?
I have blocked user agents in the past but I don’t do now
why?
Cause legit companies are being transparent and show you who they are.
Besides that, the only real user agents you will be able to spot are the ones who are not smart enough to change their user agent.
You can change your user agent to whatever you want.
Do I Block Countries?
I have challenged countries in the past but I don’t feel good about that anymore,,
If you are protecting the sensitive areas of your site, let people visit your site, specially if your content serves a worldwide audience.
I don’t want to stop people from my checking my sites.
If your rules are as robust as you think they are, let people in.
Do I Block Hosting, VPN or other Internet companies?
No
I don’t block hosting providers because some legitimate services on the internet use them.
Ahrefs relies on OVH.
If you make money with display ads, there is probably a service using Amazon Web Services.
Making a list of crappy internet hosting providers or internet provider takes a lot of work and you will never get it 100% right.
You have to know the internet really well to be able to block using AS Numbers.
If you are gonna make a list of crappy company and block by their AS number, why don’t you spend learning your site well and create a robust firewall like I did?
I bet that you are going to block companies that serve a legitimate purpose and real users.
Conclusion
I hope this has been really useful. If you still want to use a security plugin, use one which is really light and follow other common security measures.
No security measure will protect you 100% if you make stupid decisions regarding the security of your WordPress site or sites.
If you use nulled plugins and if your computer is full of illegal software. You might get what you deserve sooner or later.
If you have a horrible hosting provider, you also might get what you paid for sooner or later.
