Protect and Lock Down your WordPress site with Cloudflare Firewall and WAF Rules

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know, we will give you credit!

Attention – Always Test!

Make sure you test your Cloudflare rules after implementation, as they can block some services such as backups, monitoring and management services. Also, make sure to use a VPN to test country blocks.

What this guide will cover.

This article stems from assisting someone in the GridPane private Community Forums to lock their site to allow only specific countries and prompt a managed challenge to the rest of the world. Since I had already done this for a site I manage, I provided all the rules and was able to help this individual with their issue.

Cloudflare WAF Rules

In this guide, we’re going to focus on using the Cloudflare WAF rules. Now with the Cloudflare Free Plan, you get five free rules; with the Cloudflare Pro Plan, you get 20 and so you will need to get creative with your rules if you’re on the free plan.

The Cloudflare Firewall Order and Priority

As the title says, there is an order and priority within the Cloudflare Firewall. Here are some excerpts from the Cloudflare Firewall Rules Order Priority page.

Cloudflare Firewall Rules is part of a larger evaluation chain for HTTP requests, as illustrated in the diagram below. For example, Firewall Rules only evaluates requests that first clear IP Access rules. If a request is blocked by a rule at any stage in the chain, Cloudflare does not evaluate the request further.

https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority/#overview

You can use IP Access rules to allowlist requests under certain conditions, effectively excluding these requests from all security checks. However, allowing a given country code will not bypass WAF Managed Rulesets or WAF managed rules (previous version)Open external link.

The execution order diagram does not include products powered by the Ruleset Engine like the WAF or Transform Rules.

Keep this diagram in mind when you’re troubleshooting as you may find that your firewall rule might be correct, but there is an IP Access Rule or Rate Limiting Rule in place affecting traffic.

Cloudflare Firewall List Order and Rule Evaluation

Cloudflare’s firewall rules are in list order; they’re evaluated in the order they appear in the firewall rules list. You can drag and drop them into order as needed. Here is a nifty gif from the same page on Cloudflare’s Developers site.

You can change the options for rule evaluation from the default “Order” which is drag and drop, to “Priority” by clicking the “Ordering” button on the right.

Drag and Drop vs Priority Ordering

I don’t like taking something that is already written well, so here are some quotes from Cloudflare about Drag and Drop vs Priority Ordering.

By default, Cloudflare evaluates firewall rules in list order, where rules are evaluated in the order they appear in the firewall rules list. List ordering is convenient when working with small numbers of rules because you can manage their order by dragging and dropping them into position. However, as the number of rules grows, managing rules in list order becomes difficult. This is where priority order comes into play.

https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority/

When priority ordering is enabled, Cloudflare evaluates firewall rules in order of their priority number, starting with the lowest. If a request matches two rules with the same priority, action precedence is used to resolve the tie. In this case, only the action of the rule with the highest precedence is executed, unless that action is Log or Bypass (refer to Firewall rules actions for details). Priority ordering makes it a lot easier to manage large numbers of firewall rules, and once the number of rules passes 200, Cloudflare requires it.

https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority/

Traffic Sequence

Unfortunately, Cloudflare hides this little diagram usually to the left of each service you’re within as a reminder of when your service is engaged on the edge. But it shows a better idea of how traffic flows through Cloudflare servers on the edge.

Additional Features to Consider

IP Lists

You can use IP Lists, which helps when creating large lists of IP Addresses. However, they’re account specific and won’t work on domains that you’re a member of

https://developers.cloudflare.com/firewall/cf-dashboard/rules-lists/

IP Access Rules

Always check your access rules under your account, as with IP Lists; they can be domain or account-specific. So any domains you have access to due to being a member of the account will not utilize account-specific rules.

Locking Down your Site with Cloudflare

Attention

This guide is updated regularly, so check back frequently and reference the changelog at the bottom.

Here’s a screenshot of the typical rules you will create in the Cloudflare WAF; this site blocks all traffic outside Canada with a JS Challenge.

Multiple Expressions with “and/or”

You don’t always want to have a rule using multiple “and/or” expressions as these will not always work correctly. I’m still not 100% why this is, hence why you see the Challenge outside of Canada as a separate rule. Trying to incorporate “and/or” breaks the rule.

GitHub List of Rules

You can access all the mentioned rules below in a single-page GitHub markdown document if you simply want to implement these rules.

Rule 1 - Block URI Query, URL, User Agents, and IPs (Block)

Use this rule for all your blocking rules, URI Queries, URLs, User Agents and IPs. I don't have much here.

Action: Block

(http.request.uri.path eq "/wp-content/uploads/wp-activity-log/non_mirrored_logs.json") or (http.request.uri.path eq "/xmlrpc.php")

Rule 2 - Allow URI Query, URL, User Agents, and IPs (Allow)

Use this rule to allow URI Queries, URLs, User Agents and IPs. I don't have much here.

Unfortunately, Blogvault and WP Umbrella don't set a custom User-Agent header, so you must use their IPs. Always reference Blogvault and WP Umbrella. You can add any IPs to this list that you want to allow past the WAF.

Action: Allow

(ip.src in {88.99.145.111 88.99.145.112 195.201.197.31 136.243.130.174 144.76.236.242 136.243.130.52 116.202.131.150 116.202.233.15 116.202.193.3 168.119.2.157 49.12.124.233 88.99.146.248 139.180.140.55 104.248.114.9 192.81.221.63 45.63.10.187 45.76.137.73 45.76.183.23 159.223.99.132 198.211.127.63 45.76.126.238 159.223.105.100 161.35.121.79 208.68.38.165 147.182.131.77 174.138.35.170 149.28.228.237 45.77.106.232 140.82.15.60 108.61.142.158 45.77.220.240 67.205.160.142 137.184.156.126 157.245.142.130 159.223.127.73 198.211.127.43 198.211.123.140 82.196.0.67 188.166.158.7 46.101.79.124 192.248.168.22 78.141.225.57 95.179.214.63 104.238.190.161 95.179.208.185 95.179.220.182 66.135.5.151 45.32.7.254 149.28.227.238 8.9.37.67 149.28.231.28 142.132.211.19 142.132.211.18 142.132.211.17 159.223.166.150 167.172.146.73 143.198.184.39 161.35.123.156 147.182.139.65 198.211.125.219 185.14.187.177 192.81.222.35 209.97.131.196 209.97.135.165 104.238.170.64 78.141.244.3 217.69.0.229 45.63.115.86 108.61.123.152 45.32.144.195 140.82.12.121 45.77.99.218 45.63.11.48 149.28.45.216 209.222.10.118 141.95.192.2})

Rule 3 - Managed Challenge /wp-admin (Managed Challenge)

Self-explanatory requires a managed challenge to access /wp-admin but allows /wp-admin/admin-ajax.php due to plugins triggering on the front end for non-logged-in users.

Action: Managed Challenge

(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php")

Rule 4 - Allow Good Bots and User Agent/URI/URL Query (Allow)

This rule will allow known Cloudflare good bots; some might not be good bots to you. Double-check their list at https://radar.cloudflare.com/verified-bots

I have also added some custom detection via User-Agent and URI Query. Some might think this isn't secure, and IP is the only 100% secure method. If something uses the User-Agent Better Uptime, it's a targeted attack, not automated, and there's a more significant issue.

  • Shipstation
  • Metorik
  • Wordfence Central
  • Better Uptime

Feel free to add any services you wish here.

Action: Allow

(cf.client.bot) or (http.user_agent contains "Metorik API Client") or (http.user_agent contains "Wordfence Central API") or (http.request.uri.query contains "wc-api=wc_shipstation") or (http.user_agent eq "Better Uptime Bot") or (http.user_agent eq "ShortPixel")

Rule 5 - Challenge Outside of GEO (JS Challenge)

This rule is optional, but you can require all traffic outside of your known target geographical market to pass a challenge.

Action: JS Challenge

(ip.geoip.country ne "CA")

Review and Testing

As always, review and test your Cloudflare Firewall/WAF rules. Here's a guide that talks about this specific subject.

Additional Notes

Automating Rule Setup for Multiple Domains

This is something that can be scripted via the API. I will hopefully be releasing a script to do this πŸ™‚

Google Crawl Errors

If you have issues with Google crawling your site, make sure to check this troubleshooting crawl errors page from Cloudflare.

https://support.cloudflare.com/hc/en-us/articles/200169806-Troubleshooting-crawl-errors

Conclusion

I will be updating this regularly to add more information πŸ™‚ Please comment if you see an error or have a suggestion.

Changelog

  • 08-10-2022 - Improved rules overall, condensed rules and labelled them appropriately.
  • 08-11-2022
    • Fixed issue with an animated GIF showing how to drag and drop rules.
    • Added a quote on how to use Cloudflare ordering and priority.
    • Added "Google Crawl Errors" section
    • Added Github repository for rules.
  • 08-25-2022 - Blocked xmlrpc.php
18 Shares:
You May Also Like
Read More

GridPane Local Backups

The following article serves to provide details on how local backups are completed when using GridPane. Backup Location…