Secure, Protect and Lock Down your WordPress site with Cloudflare Custom WAF Rules (was Firewall Rules)

Last Updated on December 17, 2024 EST by Jordan

Head to the Juicy Bits. TLDR;

This is a huge article that covers a lot of topics. If you’re looking for the Cloudflare rules I’ve developed, then click on the button below 🙂

The Cloudflare WAF

Cloudflare’s Web Application Firewall (WAF) is a powerful tool for analyzing and filtering traffic destined to your WordPress site. The Cloudflare WAF analyzes incoming traffic and blocks requests that match predefined rules or patterns. This helps to prevent attacks before they can even reach your server, reducing the risk of data breaches, malware infections, and other security incidents. Most importantly, wasted resources handling malicious requests from automated attacks.

To set up Cloudflare WAF, you’ll need to configure a series of rules that tell the firewall how to handle different types of traffic. These rules can be as simple or complex as you need them to be, and Cloudflare provides a range of prebuilt rules that you can use as a starting point. Once your rules are in place, the WAF will begin monitoring your traffic and blocking any requests that violate your security policies. Overall, Cloudflare WAF is a powerful and effective tool for securing your website against common web application attacks, and it’s a must-have for anyone looking to protect their online assets from malicious actors.

Cloudflare Custom WAF Rules

The new Firewall Rules UI provides a more streamlined and user-friendly experience for creating and managing Firewall Rules. It includes new features such as improved rule management, custom rule groups, and the ability to set multiple actions per rule. Additionally, the new UI is integrated with Cloudflare’s Managed Rules, making enabling and managing Managed Rules for your website easier.

The main differences between Firewall Rules and WAF custom rules are as follows:

• Improved response for Block action: The Block action in WAF custom rules provides a more detailed response than in Firewall Rules, allowing you to understand better why a request was blocked.
• New Skip action: WAF custom rules include a new Skip action that replaces both the Allow and Bypass actions in Firewall Rules. This provides a more flexible way to handle certain types of traffic.
• Custom rules are evaluated in order: Unlike Firewall Rules, custom rules are evaluated in the order they are defined. This allows you to define more complex rules that consider multiple factors.
• Logs and events: WAF custom rules provide more detailed logging and events than Firewall Rules, allowing you to better track and analyze traffic to your website.
• New API and Terraform resources: WAF custom rules include a new API and Terraform resources, making it easier to automate creating and managing custom rules.

New Skip Action Screenshots

WAF for everyone: protecting the web from high severity vulnerabilities

We are excited to provide our new Cloudflare Web Application Firewall, with a Free Managed Ruleset to all Cloudflare users.

blog.cloudflare.com

Cloudflare Pro Managed Rules Previous Version Screenshots

Here are some screenshots of the Cloudflare Managed Rules under a Pro Account

Cloudflare Pro Managed Rules New Version Screenshots

What You Need to Know Before Creating WAF Custom Rules

Here are some important points you must consider when creating WAF Custom Rules; ensure that you consider them before proceeding.

Traffic Sequence

Understanding how traffic flows through Cloudflare servers on the edge is crucial for troubleshooting. While Cloudflare provides a helpful diagram to visualize this flow, it’s unfortunately not always easy to find. The diagram typically appears to the left of each service you’re using, serving as a reminder of when your service is engaged on the edge.

The traffic sequence diagram illustrates how your website’s traffic flows through Cloudflare’s servers on the edge. This includes the steps of a request, such as DNS resolution, SSL negotiation, caching, and more. By understanding this flow, you can identify potential issues when troubleshooting.

Previous

Current

IP Access Rules

Always check your access rules under your account, as with IP Lists; they can be domain or account-specific. So any domains you have access to due to being a member of the account will not utilize account-specific rules.

Adding Cloudflare Rules using Expression Builder

This guide’ll show you how to add Cloudflare rules using the expression builder. This powerful tool allows you to create complex rules to protect your website against various threats, including SQL injection, cross-site scripting, etc. Following our step-by-step instructions, you can easily configure the expression builder and create rules tailored to your needs. Below is a animated gif showing how this is done.

Cloudflare WAF Challenge Types

Cloudflare protects websites by challenging visitor traffic in several different situations, including:

• When a visitor’s IP address has shown suspicious behavior online, as tracked by Project Honeypot.
• When the website owner has blocked the country associated with the visitor’s IP address.
• When the visitor’s actions have triggered a firewall rule enabled by the website owner.

If a visitor passes the challenge, their request is allowed to proceed. However, if they fail the challenge, their request will be blocked to protect the website against potential threats.

Managed Challenge

Managed challenges, Cloudflare selects the appropriate type of challenge based on the characteristics of a request, reducing the need for CAPTCHAs and minimizing the impact on human users. Depending on the characteristics of a request, Cloudflare may choose to present a non-interactive challenge page, a custom interactive challenge (such as clicking a button), or Private Access Tokens (using recent Apple operating systems), among other options.

JS Challenge

JS challenges are presented to visitors as a challenge page that requires no interaction, but instead relies on JavaScript processing by the visitor’s browser. The visitor will need to wait until their browser finishes processing the JavaScript, which typically takes less than five seconds

Interactive Challenge

On the other hand, interactive challenges require visitors to actively engage with the challenge page by solving an interactive challenge. However, Cloudflare does not recommend using interactive challenges, as they can impact legitimate traffic and reduce the usability of your website.

You can read more about Cloudflare challenges at https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/

(Read First) Important Notes about the Cloudflare WAF Rules In This Guide

Here’s a screenshot of the typical rules you will create in the Cloudflare WAF; these rules below achieve the following.

• Allow and Block specific URL Queries, URLs, and User Agents while allowing customization.
• Protect /wp-admin with a Managed Challenge.
• Allow Good Bots and User Agent, URI Query Strings (Common bots and services added)
• All traffic outside Canada will have a forced JS Challenge.

Cloudflare Previous Cloudflare Firewall Rules Screenshot

This is what the rules would have looked like before Cloudflare was renamed and changed from Cloudflare Firewall to Cloudflare WAF.

Cloudflare WAF Custom Rules Screenshot

Here is what the new Cloudflare WAF rules will look like going forward.

Multiple Expressions with “and/or” in Expression Builder

It’s important to be cautious when using multiple “and/or” expressions in a rule, as these may not always work correctly. When creating a rule involving multiple expressions, it’s essential to test it thoroughly to ensure it functions as expected. In some cases, creating separate rules for different conditions may be a more effective approach.

For example, if you’re trying to apply a rule that challenges traffic outside Canada, incorporating “and/or” expressions may break the rule. Instead, creating a separate rule for the Challenge outside of Canada may be more effective. By separating the conditions into individual rules, you can avoid potential conflicts and ensure your website’s security is not compromised.

The following are the Cloudflare WAF rules that we use in production! Enjoy!

Managed Challenge – Challenge Passage Setting (Timeout)

Attention

The following notes are essential if you’re having issues with your site when editing from the backend.

The rules below include the Cloudflare “Managed Challenge” feature, which will challenge visitors with a captcha or JavaScript challenge when they visit your site. You might run into issues if you use the Managed Challenge action to block the WordPress admin login.

You will be issued a new challenge if logged into your WordPress site and working away in the admin dashboard for more than the Challenge Password time. This might cause issues in the WordPress editor, specifically when saving a page or post. This is due to the Cloudflare Managed Challenge kicking in for all requests, causing the request to save a page or post to fail.

To correct this, you can open a new window, visit the WordPress admin login, solve the Managed Challenge and then go back and trigger a save within the WordPress editor. A better solution is to set the Challenge Passage to longer, such as 4 hours.

Managing WP’s Cloudflare WAF Rules to Secure Your WordPress Site

Download Rules on GitHub

You can access all the mentioned rules below in a single-page GitHub markdown document if you want to implement these rules. Please note these may be updated more frequently than this page.

Rule Logic

The logic behind these rules is an easy-to-understand flow, as Cloudflares WAF works by matching and then you can control that match with either a block, skip, managed challenge, interactive challenge or js challenge.

You always want to have your skip rules first, then your block rules. This will ensure that anything you wish to have skip the Cloudflare WAF doesn't get caught in a block rule.

• R1V2 - Block URI Query, URL, User Agents, and IPs (Block)
• R2V2 -  Allow URI Query, URL, User Agents, and IPs (Allow)
• R3V2 – Managed Challenge /wp-admin (Managed Challenge)
• R4V2 – Challenge Outside of GEO (JS Challenge)

(http.request.uri.path eq "/wp-content/uploads/wp-activity-log/non_mirrored_logs.json") or (http.request.uri.path eq "/xmlrpc.php")

(ip.src in {88.99.145.111 88.99.145.112 195.201.197.31 136.243.130.174 144.76.236.242 136.243.130.52 116.202.131.150 116.202.233.15 116.202.193.3 168.119.2.157 49.12.124.233 88.99.146.248 139.180.140.55 104.248.114.9 192.81.221.63 45.63.10.187 45.76.137.73 45.76.183.23 159.223.99.132 198.211.127.63 45.76.126.238 159.223.105.100 161.35.121.79 208.68.38.165 147.182.131.77 174.138.35.170 149.28.228.237 45.77.106.232 140.82.15.60 108.61.142.158 45.77.220.240 67.205.160.142 137.184.156.126 157.245.142.130 159.223.127.73 198.211.127.43 198.211.123.140 82.196.0.67 188.166.158.7 46.101.79.124 192.248.168.22 78.141.225.57 95.179.214.63 104.238.190.161 95.179.208.185 95.179.220.182 66.135.5.151 45.32.7.254 149.28.227.238 8.9.37.67 149.28.231.28 142.132.211.19 142.132.211.18 142.132.211.17 159.223.166.150 167.172.146.73 143.198.184.39 161.35.123.156 147.182.139.65 198.211.125.219 185.14.187.177 192.81.222.35 209.97.131.196 209.97.135.165 104.238.170.64 78.141.244.3 217.69.0.229 45.63.115.86 108.61.123.152 45.32.144.195 140.82.12.121 45.77.99.218 45.63.11.48 149.28.45.216 209.222.10.118 147.182.130.252 149.28.62.18 207.246.127.103 157.245.137.38 207.246.120.94 157.245.128.151 45.77.148.172 142.93.11.155 144.202.2.38 104.248.238.131 45.77.148.172 141.95.192.2 176.9.40.54 176.9.106.100 176.9.21.94}) 
or (http.request.uri.query contains "bvVersion") 
or (http.request.uri.query contains "wc-api=wc_shipstation") 
or (http.user_agent contains "Zapier") 
or (http.user_agent contains "Metorik API Client") 
or (http.user_agent contains "Wordfence Central API") 
or (http.user_agent eq "Better Uptime Bot") 
or (http.user_agent eq "ShortPixel") 
or (http.user_agent contains "umbrella bot") 
or (http.user_agent contains "Integrately") 
or (http.user_agent contains "Uptime-Kuma") 
or (cf.client.bot)

(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/js/password-strength-meter.min.js")

(ip.geoip.country ne "CA")

Basic Testing

As always, review and test your Cloudflare Firewall/WAF rules. Here's a guide that talks about this specific subject.

Testing and Reviewing Cloudflare Firewall and WAF Rules - Managing WP - All about Managing WordPress

If you're in the process of developing your Cloudflare Firewall or WAF rules, you'll want to find a way to test them out to make sure they function as they

managingwp.io

Using Firewalker (Advanced)

I stumbled upon this project called firewalker, which uses the wirewalker Cloudflare rule engine

Firewalker builds on top of Cloudflare's wirefilter rule engine and provides API to construct the requests in JS. After all, if the tests for your workers are in JS, why not to use the same syntax for the WAF rules?

https://github.com/SerCeMan/firewalker

GitHub - SerCeMan/firewalker: Testing framework for Cloudflare Firewall rules

Testing framework for Cloudflare Firewall rules. Contribute to SerCeMan/firewalker development by creating an account on GitHub.

github.com

I'm not a pro at nodejs, typescript or even yarn. So it took me a while to figure this out. But here's the breakdown.

1. Use a linux instance, WSL or macOS with nodejs 12, it doesn't work with 14 or 16. Check out nvm, it's really cool way of switching nodejs versions.
2. Clone the repository somewhere

git clone https://github.com/SerCeMan/firewalker.git

3. Use yarn to install required packages, you should have no errors ;)

cd firewalker
yarn install

4. Run "yarn test" and you should get a bunch of success messages. This is because it's running against the test/firewall.tests.ts file
5. Delete the test/firewall.tests.ts file and use the following simple short test file. You can copy and paste the Cloudflare expression code

import {Firewall, Request} from '../src';
import {URLSearchParams} from 'url';

describe('Standard fields', () => {
    let firewall: Firewall;

    beforeEach(() => {
        firewall = new Firewall();
    });

    it('Testing Original Rule', () => {
        # Cloudflare expression to test.
        const rule = firewall.createRule(`
        (http.request.uri.path contains "/wp-login.php")
        or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php")        
        `);

        # Tests to run on the expression.
        expect(rule.match(new Request('http://example.org/wp-admin/'))).toBeTruthy();
        expect(rule.match(new Request('http://example.org/wp-admin/admin-ajax.php'))).toBeFalsy();
        expect(rule.match(new Request('http://example.org/wp-admin/wp-login.php'))).toBeTruthy();
        expect(rule.match(new Request('http://example.org/wp-admin/wp-admin/js/password-strength-meter.min.js'))).toBeFalsy();
    });

    it('Testing New Rule 3', () => {
        const rule = firewall.createRule(`

(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path in {"/wp-admin/admin-ajax.php" "/wp-admin/js/password-strength-meter.min.js"})
        `);

        expect(rule.match(new Request('http://example.org/wp-admin/'))).toBeTruthy();
        expect(rule.match(new Request('http://example.org/wp-admin/admin-ajax.php'))).toBeFalsy();
        expect(rule.match(new Request('http://example.org/wp-admin/wp-login.php'))).toBeTruthy();
        expect(rule.match(new Request('http://example.org/wp-admin/wp-admin/js/password-strength-meter.min.js'))).toBeFalsy();
    });

});

6. Run "yar test"

Additional Notes

Automating Rule Setup for Multiple Domains

This is something that can be scripted via the API. I will hopefully be releasing a script to do this :) I have released the script and it's not 100% but it works, I will be improving it as I see fit. It's within the same Github repository as the rules, and the file name is cloudflare-wordpress-rules.s

cloudflare-wordpress-rules/cloudflare-wordpress-rules.sh at main · managingwp/cloudflare-wordpress-rules · GitHub

Contribute to managingwp/cloudflare-wordpress-rules development by creating an account on GitHub.

github.com

Terraform

I haven't played with this yet, but will be implementing it within my own workflow!

GitHub - miketabor/terraform-cloudflare-wordpress-firewall: Terraform to deploy Cloudflare firewall rules to protect WordPress install.

Terraform to deploy Cloudflare firewall rules to protect WordPress install. - GitHub - miketabor/terraform-cloudflare-wordpress-firewall: Terraform to deploy Cloudflare firewall rules to protect WordPress install.

github.com

Google Crawl Errors

If you have issues with Google crawling your site, check this troubleshooting crawl errors page from Cloudflare.

https://support.cloudflare.com/hc/en-us/articles/200169806-Troubleshooting-crawl-errors

Additional Resources

The following is additional Cloudflare firewall rules specific to WordPress that you can also use and combine with the rules above.

A Few Steps to Secure a WordPress Site - Mike Tabor

Use a Password Manager The very first layer of security starts with your password. You could have the most secure server and WordPress setup ever, but if your password is "qwerty" or some other equally awful password, then all that security is for nothing. Good passwords need to be lengthy,…

miketabor.com

9 Useful Cloudflare Page Rules for WordPress Sites [2024]

A list of 9 Cloudflare page rules for WordPress like cache everything and bypassing cache in wp-admin as well as preview pages.

onlinemediamasters.com

Cloudflare Firewall Rules for Securing WordPress Websites | GridPane

Always be sure to check that your site is functioning correctly after implementing any kind of additional security, including the Cloudflare rules detailed in…

gridpane.com

Questions

1 - Using Cloudflare and GridPane

We have a client who has a woocomerce site with logins and is gettting a lot of attention from unwanted traffic, I currently am using cloudflare & F2Ban (F2Ban sending IP Data to Cloudflare) as well as Gridpaine 7 Waf. Client is not happy with the user experience, real clients and at times getting Bland your banned messages, as well as the amount of complaints from users has got client worried security is to strict and turning away clients. They have also now come back with some very specific requests on how they would like the user experience to be, Eg. showing how many attempts left to try, 2FA for admin users, access to a reset password button.

Trying to work out the best way forward for all of this.
The best solution I have come up with is still using Cloudflare but upping from standard security by adding rules IE discovered this from you. Managing WP - All about Managing WordPress – 10 Aug 22

This article stems from assisting someone in the GridPane private Community Forums to lock their site to allow only specific countries and prompt a managed and then using Wordfence for firewall and 2FA along with https://www.limitloginattempts.com/ to give the user experience the Client has requested. (In description this plugin says it works with Wordfence)

Keen to hear your thoughts and the settings you whould use.
do you have a list of what settings you use in wordfence?
do you use the paid wordfence?
what settings do you use in Gridpane security when using Wordfence, 7waf off?(as dont want multiple Waf's) do you use any "additional measures" in Gridpane dash? I see Wordfence looks like it also addresses some of these.

If you decide to go with Cloudflare, turn off all GridPane security for the most part. You will want to keep some options enabled that Cloudflare wouldn't provide, anything that does on-host protection. So, under the "Additional Measures," this would be what I'm speaking to. Any security measures you implement should always be performant, so GridPane additional security will always be performant as it's implemented using the web server and not a PHP plugin, which is less performant.

The rules I provided in that article are pretty much all you need; the rules follow this ideology.

1. Block all automated attacks to /wp-admin with a managed challenge, but allow /admin-ajax.php.
2. Put in a geo-location managed challenge if you service only specific markets. For instance, if 100% of your customer base is in Nort America, then allow Canada and USA through and JS Challenge for the rest.
3. Allow good bots based on Cloudflare's good bot rules.
4. Allow specific services that you require to access your site, ahrefs, betteruptime and etc.

Automated attacks can be headless, which is a script and usually can't bypass the js and managed challenges. There is other software that you can run on a desktop/laptop computer that can bypass js and captcha challenges; the software will show the challenge, and the user has to solve it, and then the software can begin it's attack. You'll find these are more often used for card testing, and less for brute-force attacks.

You could also look at using Cloudflare Access to restrict access to WordPress admin backend; it's a double authentication but would help even further.

How to Use Cloudflare Zero Trust For WordPress Login Pages

These are the steps for protecting your WordPress login page using Cloudflare Zero Trust and eliminate login spam once and for all.

www.wp-tweaks.com

You could still enable fail2ban here with GridPane if someone is targeting you specifically to brute force your admin login or the Limit Login Attempts plugin.

I really only use WordFence for its live patching firewall; if a plugin does have a security issue that can be actively exploited WordFence will live patch and the attack will fail. But it won't protect the site if WordFence doesn't know about the security issue. So just be aware of that, there's lots of ways a plugin with a security issue can make it onto a site, clients uploading plugins, a plugin that hasn't been updated due to a license expiring and etc.

I don't tend to enable malware scanning due to the added resources it requires. Currently, malware scanning for WordPress is inefficient; the two options available are either a plugin scanning your system or a malware scan done through a backup service where the malware scan is offloaded and done by the backup vendor on their servers. The ideal solution is that malware scanning is implemented on your hosting provider and done using an efficient scanning engine that only adds a small amount of overhead.

Security is important; ensure it's done efficiently and as uncomplicated as possible.

2 - Am I reading this correctly that you do not enable Fail2Ban or the 7G Firewall with GridPane

Historic Information

Cloudflare has announced that it will deprecate the legacy Cloudflare Firewall Rules on 02/28/2023. This means that any rules that were created using the old Firewall Rules UI will no longer be supported, and users will need to migrate to the new Firewall Rules UI before the deprecation date.

The Cloudflare Firewall Order and Priority (Deprecated)

There is no longer a firewall order and priority feature; the new Cloudflare Firewall has been replaced by Cloudflare Custom WAF Rules ordering evaluation.

As the title says, there is an order and priority within the Cloudflare Firewall. Here are some excerpts from the Cloudflare Firewall Rules Order Priority page.

See Previous Content about Cloudflare Firewall Order and Priority

You can use IP Access rules to allowlist requests under certain conditions, effectively excluding these requests from all security checks. However, allowing a given country code will not bypass WAF Managed Rulesets or WAF managed rules (previous version)Open external link.

The execution order diagram does not include products powered by the Ruleset Engine like the WAF or Transform Rules.

Keep this diagram in mind when you're troubleshooting, as you may find that your firewall rule might be correct, but there is an IP Access Rule or Rate Limiting Rule affecting traffic.

Cloudflare Firewall List Order and Rule Evaluation

Cloudflare's firewall rules are in list order; they're evaluated in the order they appear in the firewall rules list. You can drag and drop them into order as needed. Here is a nifty gif from the same page on Cloudflare's Developer's site.

You can change the options for rule evaluation from the default "Order" which is drag and drop, to "Priority" by clicking the "Ordering" button on the right.

Drag and Drop vs Priority Ordering

I don't like taking something already written well, so here are some quotes from Cloudflare about Drag and Drop vs Priority Ordering.

By default, Cloudflare evaluates firewall rules in list order, where rules are evaluated in the order they appear in the firewall rules list. List ordering is convenient when working with small numbers of rules because you can manage their order by dragging and dropping them into position. However, as the number of rules grows, managing rules in list order becomes difficult. This is where priority order comes into play.

https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority/

When priority ordering is enabled, Cloudflare evaluates firewall rules in order of their priority number, starting with the lowest. If a request matches two rules with the same priority, action precedence is used to resolve the tie. In this case, only the action of the rule with the highest precedence is executed, unless that action is Log or Bypass (refer to Firewall rules actions for details). Priority ordering makes it a lot easier to manage large numbers of firewall rules, and once the number of rules passes 200, Cloudflare requires it.

https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority/

Cloudflare Firewall Rules Deprecated 02/28/2023

Cloudflare Firewall Rules are now deprecated. For most users, their firewall rules will now be displayed as WAF custom rules in the Cloudflare dashboard. In the future, you will no longer be able to manage firewall rules via Firewall Rules API or through firewall rules’ Terraform resources. All remaining active firewall rules will be disabled.

https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/

Changelog

• 12-16-2024
  • Moved some information to historic information section.
  • Updated rules to v2 which consildates allow rules and now only takes up four rules.

• 11-10-2023
  • Changes Rule #1 Block to be Rule #2 and Rule #2 Allow to Rule #1
  • Updated Allow to Skip due to Cloudflares change in how rules are generated.

• 06-15-2023
  • Refined article a bit.
  • Added in Question 2 for clarification on Question 1

• 06-14-2023
  • Created a link at the top of the article to go right to the Cloudflare WAF rules.
  • Updated the headings and small design changes.
  • Added deployment via Terraform
  • Added additional resources.
• 06-10-2023
  • Added "/wp-admin/js/password-strength-meter.min.js" to by bypassed on "Rule 3 - Managed Challenge /wp-admin (Managed Challenge)"
  • Added section on testing Cloudflare WAF using firewalker
• 04-06-2023
  • Lots of changes to the structure and content of this article. It was patched together, so I've started to improve it further.
  • Added section discussing Cloudflare WAF Custom rules replacing Cloudflare Firewall.
  • Added section discussing Cloudflare WAF Managed Rules for Free and Pro
  • Lots of updates, too many to list.
• 08-10-2022 - Improved rules overall, condensed rules and labelled them appropriately.
• 08-11-2022
  • Fixed issue with an animated GIF showing how to drag and drop rules.
  • Added a quote on how to use Cloudflare ordering and priority.
  • Added "Google Crawl Errors" section
  • Added Github repository for rules.
• 08-25-2022 - Blocked xmlrpc.php