Cloudflare Firewall Rules are custom rules that you can create to protect certain parts and files of your website.
If you subscribe to newsletters of WordPress security services, you will find that vulnerabilities have been found even in popular plugins such as SEOPress, WP Fastest Cache, WP Code, Elementor Pro, etc.
If you have a content site like mine, creating CloudFlare Firewall Rules will secure your sites better than some WordPress Security plugins do.
Cloudflare Firewall Rules protect sensitive areas or files and the only price that you will have to pay is a few minutes of your time.
I am gonna explain how to protect your WordPress site with CloudFlare Firewall Rules.
Table of Contents
How to Protect PHP Files using CloudFlare
Your site must be added to CloudFlare at this point so you can apply these security measures.
Go to your site on CloudFlare and then go to the Security, then WAF and then to Custom Rules
There you will find that you can create up to five CloudFlare Firewall Rules for free.
Take this into account:
- The rule name can be whatever you want
- There are plenty of options to choose from in the “Field” drop-down menu, choose URI.
- In Operator, choose “Contains”
- In Value, write .php
- And in action choose “Block”
This is how your CloudFlare Firewall rule should look:
The rule says that every time a request with the words .php is made, the visitor or bot will get blocked out from your site
This rule is protecting your default login pages, the wp-config file, the XML-RPC file, and the rest of the existing and non-existing PHP files on your WordPress sites.
Most attacks to WordPress sites have to do with PHP files, so blocking access to those if visitors don’t need access to them is critical to your site security.
This is another report from WordFence telling users that .PHP were part of an attack campaign.
In case you have to let your users have access to some .php files , consider whitelisting the one they need and let Cloudflare block the rest of them.
For example, If you want to get post comments, create a firewall rule to whitelist wp-comments-post.php
If you want to learn more about why you should block access to PHP files consider reading tip #3 from 13 extra things we do for better WordPress Security
Whitelisting your Home or Server IP Address
Since the previous rules blocks your default login page, you have to whitelist your IP address to make sure you and others admins don’t get blocked by it.
Add your IP address, allow it, and make sure this applies to all websites in your account and give this IP access rule any name that you want.
Also, give the same treatment to your server IP address so CRON jobs are not blocked by it.
If your home IP changes, do the process again and add your new home IP or Server IP.
You can also whitelist your country or Internet service provider
More Firewall Rules: Block File Extensions
You can create more rules to discourage bots from visiting your site but you have to figure that out yourself.
Let’s think that you don’t have any of these files types on your site, you can easily block them following the same steps from before.
| #1 | .zip |
| #2 | .rar |
| #3 | .bak |
| #4 | .bat |
| #5 | .htacc |
| #6 | .tar |
| #7 | .env |
| #8 | .tgz |
| #9 | .7z |
| #10 | .sql |
| #11 | .xz |
| #12 | .yml |
| #13 | .aws |
| #14 | .alfa |
| #15 | .zlib |
| #16 | .bk |
| #17 | .bz2 |
| #18 | .dat |
| #19 | .gz |
| #20 | .py |
| #21 | .jsp |
| #22 | .asp |
| #23 | .cgi |
| #24 | .bash |
| #25 | .dll |
| #26 | .hg |
| #27 | .git |
| #28 | .cfg |
| #29 | .mdb |
| #30 | .htpas |
| #31 | .pass |
| #32 | .out |
| #33 | .cmd |
| #34 | .swp |
| #35 | .exe |
| #36 | .ini |
| #37 | .phtml |
| #38 | .md |
| #39 | .axd |
| #40 | .log |
| #41 | .sqlite |
| #42 | .hash |
| #43 | .cfm |
| #44 | .txt |
| #45 | .html |
This is the expression in case you want to modify it:
(http.request.uri contains ".zip") or (http.request.uri contains ".rar") or (http.request.uri contains ".bak") or (http.request.uri contains ".bat") or (http.request.uri contains ".htacc") or (http.request.uri contains ".tar") or (http.request.uri contains ".env") or (http.request.uri contains ".tgz") or (http.request.uri contains ".7z") or (http.request.uri contains ".sql") or (http.request.uri contains ".xz") or (http.request.uri contains ".yml") or (http.request.uri contains ".aws") or (http.request.uri contains ".alfa") or (http.request.uri contains ".zlib") or (http.request.uri contains ".bk") or (http.request.uri contains ".bz2") or (http.request.uri contains ".dat") or (http.request.uri contains ".gz") or (http.request.uri contains ".py") or (http.request.uri contains ".jsp") or (http.request.uri contains ".asp") or (http.request.uri contains ".cgi") or (http.request.uri contains ".bash") or (http.request.uri contains ".dll") or (http.request.uri contains ".hg") or (http.request.uri contains ".git") or (http.request.uri contains ".cfg") or (http.request.uri contains ".mdb") or (http.request.uri contains ".htpas") or (http.request.uri contains ".pass") or (http.request.uri contains ".out") or (http.request.uri contains ".cmd") or (http.request.uri contains ".swp") or (http.request.uri contains ".exe") or (http.request.uri contains ".ini") or (http.request.uri contains ".phtml") or (http.request.uri contains ".md") or (http.request.uri contains ".axd") or (http.request.uri contains ".log") or (http.request.uri contains ".sqlite") or (http.request.uri contains ".hash") or (http.request.uri contains ".cfm") or (http.request.uri contains ".txt") or (http.request.uri contains ".html")I collected those from Cloudflare firewall logs
If you have to give access to files such as robots.txt, ads.txt or any other important, include them on a whitelist rule and let Cloudflare block the rest of them.
Cloudflare Firewall Rules: Block Query Strings
In case you might want to block malicious query strings, here are some keyword to block your firewall.
| #1 | script |
| #2 | user |
| #3 | select |
| #4 | cast |
| #5 | concat |
| #6 | pass |
| #7 | shell |
| #8 | panel |
| #9 | passwd |
| #10 | config |
| #11 | md5 |
| #12 | flush |
| #13 | alert |
| #14 | password |
| #15 | union |
| #16 | from |
| #17 | convert |
| #18 | api |
| #19 | mod |
| #20 | eval |
| #21 | char |
| #22 | login |
| #23 | pwd |
| #24 | domain |
| #25 | author |
| #26 | var |
if you are using the query string option, you don’t have to worry about the word being present on your post URL.
(http.request.uri.query contains "script") or (http.request.uri.query contains "password") or (http.request.uri.query contains "user") or (http.request.uri.query contains "union") or (http.request.uri.query contains "select") or (http.request.uri.query contains "from") or (http.request.uri.query contains "cast") or (http.request.uri.query contains "convert") or (http.request.uri.query contains "concat") or (http.request.uri.query contains "api") or (http.request.uri.query contains "pass") or (http.request.uri.query contains "mod") or (http.request.uri.query contains "shell") or (http.request.uri.query contains "eval") or (http.request.uri.query contains "panel") or (http.request.uri.query contains "char") or (http.request.uri.query contains "passwd ") or (http.request.uri.query contains "login") or (http.request.uri.query contains "config ") or (http.request.uri.query contains "pwd") or (http.request.uri.query contains "md5") or (http.request.uri.query contains "domain") or (http.request.uri.query contains "flush") or (http.request.uri.query contains "alert") or (http.request.uri.query contains "attr=") or (http.request.uri.query contains "array")You can create a rule and then copy and paste the expression from above using the “Expression builder” option.
You can add it, deploy and get rid of the stuff that might block stuff your site visitors might need.
As far as I know, If you have a content site, I don’t see why somebody would visit links containing those words.
My CloudFlare Firewall Rules
I have implemented several methods to secure my WordPress sites and these could change but this is the best today.
| Rule | Reason |
| #1 | Whitelist Files & Folders |
| #2 | Whitelist File Extensions |
| #3 | Block Files & Folders |
| #4 | Block Query Strings |
| #5 | Firewall Log |
So this is what I do exactly:
- I whitelist (1) all the styles and scripts my sites that load in the front-end (2) specific files such ads.txt or robots.txt because I don’t want bots to check all TXT files (3) specific folders related to specific plugins needed in the front-end
- I whitelist file extensions such as webp, png. jpg, etc.
- I block access to (1) all file types I know my site doesn’t have or that shouldn’t be accessed (2) all major wordpress folders: /wp-admin/, /wp-content/, /wp-includes/
- I block keywords related to malicious query strings
- I Create a rule to log traffic so you can build an even more robust firewall.
So my approach is all about whitelisting and whatever is not whitelisted will be blocked.
If you want to do that, you should know your site really well because It is probably the strictest firewall you can create.
These are my answer to some of the questions you might have:
Do I Block Tor?
No, If you are legitimate user trying to check my content, I don’t care what browser you use.
Sometimes I use Tor.
If Tor is used for malicious purposes, my rules will block it anyways.
Should I focus on Query Strings?
I always create a firewall to block malicious query strings but they don’t block that many requests.
Malicious query strings are usually part of bot attacks but most of them are blocked by Firewall Rule #3 since they usually target .php files
Do I Block User Agents?
I have blocked user agents in the past but I don’t do now
why?
Cause legit companies are being transparent and show you who they are.
Besides them, the only real user agents you will be able to spot are the ones who are not smart enough to change their user agent.
Do I Block Countries?
I have challenged countries in the past but I don’t feel good about that.
If you are protecting the sensitive areas of your site, let people visit your site, specially if your content serves a worldwide audience.
I don’t want to stop people from my checking my sites as soon as they click on search engine results.
Do I Block Hosting, VPN or other Internet companies?
No
I don’t block hosting providers because some legitimate services on the internet use them.
Ahrefs relies on OVH and if you make money with ads, there is probably a service using Amazon Web Services.
Making a list of crappy internet hosting providers or internet provider takes a lot of work and you will never get it 100% right.
You don’t have to know the internet really well to be able to do this.
If you are gonna make a list of crappy company and block by their AS number, why don’t you spend learning your site well and create a robust firewall like I did
Conclusion
I hope this has been really useful. If you still want to use a security plugin, use one which is really light and follow other common security measures.
No security measure will protect you 100% if you make stupid mistakes regarding the security of your WordPress site.
If you use nulled plugins and if your computer is full of illegal software. You might get what you deserve sooner or later.
If you have a horrible hosting provider, you also might get what you paid for sooner or later.
