Protect your WordPress Site with Cloudflare Firewall Rules

Manuel Campos

Cloudflare Firewall Rules are custom rules that you can create to protect certain parts and files of your website.

If you subscribe to newsletters of WordPress security services, you will find that vulnerabilities are found even in popular plugins such as SEOPress, WP Fastest Cache, WP Code, Elementor Pro, etc.

If you have a content site like mine, creating CloudFlare Firewall Rules will secure your sites better than some WordPress Security plugins do because

  • Some security plugins don’t have a Firewall.
  • You have to pay hundreds of dollars a year to protect all sites you own.

Cloudflare Firewall Rules protect sensitive areas or files before a vulnerability is found in a plugin, theme, or WordPress and the only price that you will have to pay is a few minutes of your time.

I am gonna explain how to protect your WordPress site with CloudFlare Firewall Rules so you don’t have to worry about installing security plugins.

Table of Contents

How to Protect PHP Files using CloudFlare

Your site must have been added to CloudFlare at this point so you can apply these security measures.

Go to your site on CloudFlare and then go to the Firewall Tab and then go to Firewall Rules

There you will find that you can create up to five CloudFlare Firewall Rules for free.

Take this into account:

  • The rule name can be whatever you want
  • There are plenty of options to choose from in the “Field” dropdown menu, choose URI Path.
  • In Operator, choose “Contains”
  • In Value, write .php
  • And in action choose “Block”

This is how your CloudFlare Firewall rule should look:

The rule says that every time a request with the words .php is made, the visitor or bot will get blocked out from your site

This rule is protecting your default login pages, the wp-config file, the XMLRPC file, and the rest of the existing and non-existing PHP files in your WordPress sites.

You can create the rule and let it work and see if the request is blocked.

Whitelisting your IP Address

Since that rule blocks your default login page, you have to whitelist your IP address to make sure you and others don’t get blocked by it.

Add your IP address, allow it, and make sure this applies to all websites in your account and give this IP access rule any name that you want.

Also, give the same treatment to your server IP address.

Your server IP Address might need to be whitelisted or not but do it anyways to avoid possible issues.

If your home IP changes, do the process again and add your new home IP or Server IP.

Creating More Rules

You can create more rules to discourage bots from visiting your site but you have to figure that out yourself.

I don’t know what hackers and bots are looking for on your WordPress sites these days.

These are my rules, I call this “Super Firewall” since it works for me.

(http.request.uri.path contains ".php") or (http.request.uri.path contains ".zip") or (http.request.uri.path contains ".rar") or (http.request.uri.path contains ".bak") or (http.request.uri.path contains ".bat") or (http.request.uri.path contains ".htacc") or (http.request.uri.path contains ".htpas") or (http.request.uri.path contains ".pass") or (http.request.uri.path contains ".cmd") or (http.request.uri.path contains ".mdb") or (http.request.uri.path contains ".cfg") or (http.request.uri.path contains ".git") or (http.request.uri.path contains ".hg") or (http.request.uri.path contains ".out") or (http.request.uri.path contains ".swp") or (http.request.uri.path contains ".sql") or (http.request.uri.path contains ".exe") or (http.request.uri.path contains ".ini") or (http.request.uri.path contains ".dll") or (http.request.uri.path contains ".git") or (http.request.uri.path contains ".tar") or (http.request.uri.path contains ".bash") or (http.request.uri.path contains ".cgi") or (http.request.uri.path contains ".asp") or (http.request.uri.path contains ".jsp") or (http.request.uri.path contains ".PHP") or (http.request.uri.path contains ".PhP") or (http.request.uri.path contains ".gz") or (http.request.uri.path contains ".dat") or (http.request.uri.path contains ".tgz") or (http.request.uri.path contains ".7z") or (http.request.uri.path contains ".bz2") or (http.request.uri.path contains ".env") or (http.request.uri.path contains "/login") or (http.request.uri.path contains "/admin") or (http.request.uri.path contains "register") or (http.request.uri.path contains "account") or (http.request.uri.query contains "?author") or (http.request.uri.path contains "dashboard") or (http.request.uri.path contains "new-site") or (http.request.uri.path contains "old-site") or (http.request.uri.path contains "cms") or (http.request.uri.path contains "old-wp") or (http.request.uri.path contains "upload_file") or (http.request.uri.path contains "vuln.htm") or (http.request.uri.path contains "FCKeditor") or (http.request.uri.path contains "graphql") or (http.request.uri.path contains "allowurl") or (http.request.uri.path contains "null") or (http.request.uri.path contains "trackback") or (http.request.uri.path contains "humans.txt") or (http.request.uri.path contains "/localhost") or (http.request.uri.path contains "var/log") or (http.request.uri.path contains "security.txt") or (http.request.uri.path contains "database") or (http.request.uri.path contains "ftp") or (http.request.uri.path contains "xxxss") or (http.request.uri.path contains "bak") or (http.request.uri.path contains "bk") or (http.request.uri.path contains "tmp") or (http.request.uri.path contains "changelog") or (http.request.uri.path contains "debug") or (http.request.uri.path contains "download") or (http.request.uri.path contains "undefined") or (http.request.uri.path contains "/https:/") or (http.request.uri.path contains "dbweb") or (http.request.uri.path contains "xampp") or (http.request.uri.path contains "PMA") or (http.request.uri.path contains "pma") or (http.request.uri.query contains "pubkey") or (http.request.uri.query contains "/blank") or (http.request.uri.path contains "staging") or (http.request.uri.path contains "magento") or (http.request.uri.path contains "2018/wp") or (http.request.uri.path contains "2019/wp") or (http.request.uri.path contains "site/wp") or (http.request.uri.path contains "/demo/wp") or (http.request.uri.path contains "/old/wp") or (http.request.uri.path contains "/portal") or (http.request.uri.path contains "drupal.js") or (http.request.uri.path contains "/v1/wp") or (http.request.uri.path contains "/dev") or (http.request.uri.path contains "/wallet") or (http.request.uri.path contains "/mariadb") or (http.request.uri.path contains "/db") or (http.request.uri.path contains "/oldsite")

You can create a rule and then copy and paste the expression from above using the “Expression builder” option.

You can add it, deploy and get rid of the stuff that might block stuff your site visitors might need.

As far as I know, If you have a content site, I don’t see why somebody would visit links containing those words.

In the overview tab, you can see who is getting blocked by the rule.

Conclusion

I hope this has been really useful. If you still want to use a security, use one which is really light and follow other common security measures.

No security measure will protect you 100% if you make stupid mistakes regarding the security of your WordPress site.

If you use nulled plugins and if your computer is full of illegal software. You might get what you deserve sooner or later.

If you have a horrible hosting provider, you also might get what you paid for sooner or later.

Manuel Campos, English Professor

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.

LinktreeLinktree

Related Posts

WP SURFER

home

about

privacy

contact

© 2024 WP SURFER • Made with Love in Costa Rica