Enhance WordPress website security with Cloudflare Firewall

Free Cloudflare 5 add backend rule settings for Firewall Firewall, it will be a real waste if you don’t take full advantage of these rules for your WordPress blog.

Today, Cloudflare is one of the giants in the internet field. Just a few minutes of downtime, Cloudflare can make big names like Facebook, Verizon, Discord, .. have to stand still.

The reason why Cloudflare is so popular can be said to be thanks to its free but “extensive” features that hardly any competitor dares to burn money to compete with Cloudflare.

As a blogger, you must have heard of Cloudflare once or have used many of Cloudflare’s services, such as DNS and CDN management combined with Reverse Proxy.

When you use Cloudflare Proxy (cloud highlights in orange) you will be able to use 100% of the features under your free account, including Firewall.

Cloudflare Proxy
Cloudflare Proxy is enabled

Cloudflare’s Firewall is mostly overlooked and talked about a lot, so you might be missing out on this useful feature.

Especially when you are too addicted to the WP Cloudflare plugin.

This article will guide you through all 5 of your Firewall Rule settings and install them correctly for the best results.

Rule 1: Prevent bad bot crawlers from crawling your website

Bot crawlers are automated bots that come from servers that collect information for their databases, like Coccoc will automatically crawl your website with coccocbot.

Google has googlebot, only activated to detect your site when you submit information on Google Search Console. Bing has bingbot.

Of course, no one wants to block these bots because it helps your SEO. On the contrary, there are bots that you get no benefit or meaningless to your site, while it increases the pressure on your hosting resources. You should block it for now.

You go to Tab Firewall > Firewall rules > Create a firewall rule and create a rule as follows

Chan Cac Bot Xau Cloudflare Firewall
Block “bad” bots
(http.user_agent contains "MJ12bot") or (http.user_agent contains "SEMrushBot") or (http.user_agent contains "MauiBot") or (http.user_agent contains "python") or (http.user_agent contains "muckrack") or (http.user_agent contains "PetalBot") or (http.user_agent contains "AspiegelBot")

You just need to copy and paste the Expression Code above into the Edit expression and the rule will set itself up as shown, no need to create it manually with Expression Builder.

Rule 2: Allow “branded” bots to reach your site

This rule is to ensure that the rules behind do not mistakenly block bots that benefit your site.

As a measure to prevent disaster.

Some of you will tend to “be more creative” and will accidentally block beneficial bots, especially Googlebot, so this rule is to ensure that Google bots are always allowed through.

This rule itself, if it stands alone, will have no effect or meaning because by default Cloudflare always allows beneficial bots through.

Cloudflare Firewall for Phep Bot
Allow bots to benefit (fall back rule)

Rule 3: Block “high-risk” IPs that are hacks

Cloudflare has a blacklist of them to detect if an access request from an IP is blacklisted or not.

And on the list of risk assessments, they also assign scores. The higher the score, the higher the risk  cf_threat_score.

You will set up a rule to block dangerous IPs with a risk higher than 20 points.

You can adjust this 20 to your liking, but this is a benchmark from the community.

Chan Cac Rui Cao Cloudflare Firewall
(cf.threat_score gt 20)

Rule 4: Detention 5 seconds with low risks

Better to kill by mistake than to miss, you should set a rule when the accessing IP has a risk score higher than 10.

We will not block, but just hold for 5 seconds and then redirect called  JS Challenge. This way helps to get rid of bots but not mistakenly block real users from accessing your website.

Han Che Cac Rui Ro Thap Cloudflare Firewall
(cf.threat_score gt 10)

Rule 5: Protect your WordPress login page

The WordPress website login page is always a top target for hackers so you must protect the login page carefully.

In addition to installing a security plugin, Cloudflare will help you significantly screen for bot hacks.

Bao Ve WordPress Admin
(http.request.uri.path contains "/wp-login.php" and not ip.geoip.country in {"VN"}) or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php" and not ip.geoip.country in {"VN"}) or (http.request.uri.path contains "/xmlrpc.php" and not ip.geoip.country in {"VN"})


Firewall General Rules
Summary of Cloudflare’s 5 Firewall Rules for WordPress sites

Cloudflare has a lot of other interesting features to explore. For the time being, you will use this little guide to warm up.

Good luck!

Categorized as Office 365

By Nguyen Manh Cuong

Nguyen Manh Cuong is the author and founder of the nguyendiep blog. With over 14 years of experience in Online Marketing, he now runs a number of successful websites, and occasionally shares his experience & knowledge on this blog.

Leave a comment

Your email address will not be published. Required fields are marked *