Free Cloudflare 5 add backend rule settings for Firewall Firewall, it will be a real waste if you don’t take full advantage of these rules for your WordPress blog.
Today, Cloudflare is one of the giants in the internet field. Just a few minutes of downtime, Cloudflare can make big names like Facebook, Verizon, Discord, .. have to stand still.
The reason why Cloudflare is so popular can be said to be thanks to its free but “extensive” features that hardly any competitor dares to burn money to compete with Cloudflare.
As a blogger, you must have heard of Cloudflare once or have used many of Cloudflare’s services, such as DNS and CDN management combined with Reverse Proxy.
When you use Cloudflare Proxy (cloud highlights in orange) you will be able to use 100% of the features under your free account, including Firewall.
Cloudflare’s Firewall is mostly overlooked and talked about a lot, so you might be missing out on this useful feature.
Especially when you are too addicted to the WP Cloudflare plugin.
This article will guide you through all 5 of your Firewall Rule settings and install them correctly for the best results.
Table of Contents
Rule 1: Prevent bad bot crawlers from crawling your website
Bot crawlers are automated bots that come from servers that collect information for their databases, like Coccoc will automatically crawl your website with coccocbot.
Google has googlebot, only activated to detect your site when you submit information on Google Search Console. Bing has bingbot.
Of course, no one wants to block these bots because it helps your SEO. On the contrary, there are bots that you get no benefit or meaningless to your site, while it increases the pressure on your hosting resources. You should block it for now.
You go to Tab Firewall > Firewall rules > Create a firewall rule and create a rule as follows
(http.user_agent contains "MJ12bot") or (http.user_agent contains "SEMrushBot") or (http.user_agent contains "MauiBot") or (http.user_agent contains "python") or (http.user_agent contains "muckrack") or (http.user_agent contains "PetalBot") or (http.user_agent contains "AspiegelBot")You just need to copy and paste the Expression Code above into the Edit expression and the rule will set itself up as shown, no need to create it manually with Expression Builder.
Rule 2: Allow “branded” bots to reach your site
This rule is to ensure that the rules behind do not mistakenly block bots that benefit your site.
As a measure to prevent disaster.
Some of you will tend to “be more creative” and will accidentally block beneficial bots, especially Googlebot, so this rule is to ensure that Google bots are always allowed through.
This rule itself, if it stands alone, will have no effect or meaning because by default Cloudflare always allows beneficial bots through.
(cf.client.bot)Rule 3: Block “high-risk” IPs that are hacks
Cloudflare has a blacklist of them to detect if an access request from an IP is blacklisted or not.
And on the list of risk assessments, they also assign scores. The higher the score, the higher the risk cf_threat_score.
You will set up a rule to block dangerous IPs with a risk higher than 20 points.
You can adjust this 20 to your liking, but this is a benchmark from the community.
(cf.threat_score gt 20)Rule 4: Detention 5 seconds with low risks
Better to kill by mistake than to miss, you should set a rule when the accessing IP has a risk score higher than 10.
We will not block, but just hold for 5 seconds and then redirect called JS Challenge. This way helps to get rid of bots but not mistakenly block real users from accessing your website.
(cf.threat_score gt 10)Rule 5: Protect your WordPress login page
The WordPress website login page is always a top target for hackers so you must protect the login page carefully.
In addition to installing a security plugin, Cloudflare will help you significantly screen for bot hacks.
(http.request.uri.path contains "/wp-login.php" and not ip.geoip.country in {"VN"}) or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php" and not ip.geoip.country in {"VN"}) or (http.request.uri.path contains "/xmlrpc.php" and not ip.geoip.country in {"VN"})Epilogue…
Cloudflare has a lot of other interesting features to explore. For the time being, you will use this little guide to warm up.
Good luck!
