Table of Contents
- Other Cloudflare Guides
- Introduction
- The Cloudflare WAF
- Cloudflare Firewall Rules Deprecated 02/28/2023
- Cloudflare Custom WAF Rules
- The Cloudflare Firewall Order and Priority (Deprecated)
- Cloudflare Firewall List Order and Rule Evaluation
- Drag and Drop vs Priority Ordering
- Managed Cloudflare WAF Rules
- Free vs Pro Cloudflare Managed WAF Rules
- Cloudflare Pro Managed Rules Previous Version Screenshots
- Cloudflare Pro Managed Rules New Version Screenshots
- What you Need to Know Before Creating WAF Custom Rules
- Locking Down your Site with Cloudflare
- Previous Cloudflare Firewall Rules Screenshot
- Cloudflare WAF Custom Rules Screenshot
- Multiple Expressions with “and/or” in Expression Builder
- Download Rules on GitHub
- Rule 1 - Block URI Query, URL, User Agents, and IPs (Block)
- Rule 2 - Allow URI Query, URL, User Agents, and IPs (Allow)
- Rule 3 - Managed Challenge /wp-admin (Managed Challenge)
- Rule 4 - Allow Good Bots and User Agent/URI/URL Query (Allow)
- Rule 5 - Challenge Outside of GEO (Managed Challenge)
- Review and Testing
- Additional Notes
- Questions
- Changelog
Content Error or Suggest an Edit
Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!
Attention – Always Test!
Ensure you test your Cloudflare rules after implementation, as they can block some services such as backups, monitoring and management services. Also, make sure to use a VPN to test country blocks.
Other Cloudflare Guides
- Rant, Cloudflare Bot Fight Mode doesnโt provide firewall bypass or whitelist?
- Using Cloudflare Without Changing your Name Servers
- Cloudflare 520 Errors Explained and Investigated
- Locking Down your WordPress site with Cloudflare WAF Rules
- Protecting the WordPress Admin Login with Cloudflare
- Testing and Reviewing Cloudflare Firewall and WAF Rules
Introduction
This guide was born from my experience helping someone in the GridPane private Community Forums with a similar issue. By providing them with the rules I had used to secure another site, I was able to help them lock down their own site successfully. In this article, we’ll share those same rules so you can protect your website with Cloudflare’s WAF rules.
This guide will focus on using Cloudflare’s WAF rules to secure your website. Whether you’re on the Cloudflare Free Plan or the Pro Plan, we’ll show you how to make the most of your available rules. Following our step-by-step instructions, you can block common WordPress attacks.
It’s important to note that attacks on your WordPress site compromise its security but can also cause significant resource wastage on your server. Every time your WordPress site receives an un-cached request, PHP is triggered, generating a response. If there are enough automated malicious requests, your server’s resources may spike, slowing down your site and other sites hosted on the same server. By implementing Cloudflare’s WAF rules, you can prevent these attacks and ensure your server’s resources are used effectively. Reducing the risk of downtime due to overloaded server resources and helping your site quickly respond to legitimate requests.
The Cloudflare WAF
Cloudflare’s Web Application Firewall (WAF) is a powerful tool for analyzing and filtering traffic destined to your WordPress site. The Cloudflare WAF analyzes incoming traffic and blocks requests that match predefined rules or patterns. This helps to prevent attacks before they can even reach your server, reducing the risk of data breaches, malware infections, and other security incidents. Most importantly, wasted resources handling malicious requests from automated attacks.
To set up Cloudflare WAF, you’ll need to configure a series of rules that tell the firewall how to handle different types of traffic. These rules can be as simple or complex as you need them to be, and Cloudflare provides a range of prebuilt rules that you can use as a starting point. Once your rules are in place, the WAF will begin monitoring your traffic and blocking any requests that violate your security policies. Overall, Cloudflare WAF is a powerful and effective tool for securing your website against common web application attacks, and it’s a must-have for anyone looking to protect their online assets from malicious actors.
Cloudflare Firewall Rules Deprecated 02/28/2023
Cloudflare has announced that they will be deprecating the legacy Cloudflare Firewall Rules on 02/28/2023. This means that any rules that were created using the old Firewall Rules UI will no longer be supported, and users will need to migrate to the new Firewall Rules UI before the deprecation date.
Cloudflare Firewall Rules are now deprecated. For most users, their firewall rules will now be displayed as WAF custom rules in the Cloudflare dashboard. In the future, you will no longer be able to manage firewall rules via Firewall Rules API or through firewall rulesโ Terraform resources. All remaining active firewall rules will be disabled.
https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/
Cloudflare Custom WAF Rules
The new Firewall Rules UI provides a more streamlined and user-friendly experience for creating and managing Firewall Rules. It includes new features such as improved rule management, custom rule groups, and the ability to set multiple actions per rule. Additionally, the new UI is integrated with Cloudflare’s Managed Rules, making it easier to enable and manage Managed Rules for your website.
The main differences between Firewall Rules and WAF custom rules are as follows:
- Improved response for Block action: The Block action in WAF custom rules provides a more detailed response than in Firewall Rules, allowing you to better understand why a request was blocked.
- New Skip action: WAF custom rules include a new Skip action that replaces both the Allow and Bypass actions in Firewall Rules. This provides a more flexible way to handle certain types of traffic.
- Custom rules are evaluated in order: Unlike Firewall Rules, custom rules are evaluated in the order they are defined. This allows you to define more complex rules that take multiple factors into account.
- Logs and events: WAF custom rules provide more detailed logging and events than Firewall Rules, allowing you to better track and analyze traffic to your website.
- New API and Terraform resources: WAF custom rules include a new API and Terraform resources, making it easier to automate the creation and management of custom rules.
New Skip Action Screenshots
WAF Custom Rules Order Evaluation
With custom rules, the order of the rules determines which action is executed. If two custom rules match an incoming request, the action in the first rule will be executed, and the evaluation of other rules will stop. For instance, if the first custom rule has a Block action and the second rule has a Skip action, the request will be blocked, as the Block action stops the evaluation of the remaining rules
Cloudflare says it best.
Firewall rules actions have a specific order of precedence when using priority ordering. In contrast, custom rules actions do not have such an order. Custom rules are always evaluated in order, and some actions like Block will stop the evaluation of other rules.
For example, if you were using priority ordering and had the following firewall rules with the same priority both matching an incoming request:
Firewall rule #1 โ Priority: 2 / Action: Block
Firewall rule #2 โ Priority: 2 / Action: Allow
The request would be allowed, since the Allow action in Firewall Rules takes precedence over the Block action.
In contrast, if you create two custom rules where both rules match an incoming request:
Custom rule #1 โ Action: Block
Custom rule #2 โ Action: Skip (configured to skip all remaining custom rules)
The request would be blocked, since custom rules are evaluated in order and the Block action will stop the evaluation of other rules.
https://developers.cloudflare.com/waf/reference/migration-guides/firewall-rules-to-custom-rules/#custom-rules-are-evaluated-in-order
The Cloudflare Firewall Order and Priority (Deprecated)
There is no longer a firewall order and priority feature, the new Cloudflare Firewall has been replaced by Cloudflare Custom WAF Rules ordering evaluation.
As the title says, there is an order and priority within the Cloudflare Firewall. Here are some excerpts from the Cloudflare Firewall Rules Order Priority page.
You can use IP Access rules to allowlist requests under certain conditions, effectively excluding these requests from all security checks. However, allowing a given country code will not bypass WAF Managed Rulesets or WAF managed rules (previous version)Open external link.
The execution order diagram does not include products powered by the Ruleset Engine like the WAF or Transform Rules.
Keep this diagram in mind when you’re troubleshooting, as you may find that your firewall rule might be correct, but there is an IP Access Rule or Rate Limiting Rule affecting traffic.
Cloudflare Firewall List Order and Rule Evaluation
Cloudflare’s firewall rules are in list order; they’re evaluated in the order they appear in the firewall rules list. You can drag and drop them into order as needed. Here is a nifty gif from the same page on Cloudflare’s Developer’s site.
You can change the options for rule evaluation from the default “Order” which is drag and drop, to “Priority” by clicking the “Ordering” button on the right.
Drag and Drop vs Priority Ordering
I don’t like taking something already written well, so here are some quotes from Cloudflare about Drag and Drop vs Priority Ordering.
By default, Cloudflare evaluates firewall rules in list order, where rules are evaluated in the order they appear in the firewall rules list. List ordering is convenient when working with small numbers of rules because you can manage their order by dragging and dropping them into position. However, as the number of rules grows, managing rules in list order becomes difficult. This is where priority order comes into play.
https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority/
When priority ordering is enabled, Cloudflare evaluates firewall rules in order of their priority number, starting with the lowest. If a request matches two rules with the same priority, action precedence is used to resolve the tie. In this case, only the action of the rule with the highest precedence is executed, unless that action is Log or Bypass (refer to Firewall rules actions for details). Priority ordering makes it a lot easier to manage large numbers of firewall rules, and once the number of rules passes 200, Cloudflare requires it.
https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority/
Managed Cloudflare WAF Rules
Managed rules are pre-built sets of WAF rules from Cloudflare designed to protect against common attacks, such as SQL injection, cross-site scripting, and more. Cloudflare manages and updates these rules, meaning you don’t need to worry about configuring them yourself. Instead, you can enable the rules you need and let Cloudflare handle the rest.
Managed rules are available in various categories, including OWASP Top 10, WordPress, Drupal, and more. Each category contains a set of rules tailored to the specific needs of the platform or application, helping to ensure that your site is protected against the latest threats. Additionally, Cloudflare periodically updates these rules to ensure they remain effective against new and emerging attack vectors.
Free vs Pro Cloudflare Managed WAF Rules
Under the Free plan, users can access a limited set of Cloudflare Managed WAF Rules, which are pre-built rule sets designed to protect against specific types of attacks. The Free plan includes up to five Cloudlfare Managed WAF Rules, while the Pro plan includes up to 20.
One of the most significant benefits of the Pro plan is access to frequent rule updates. Cloudflare regularly updates its Managed WAF Rules to help protect against the latest threats, and Pro plan users get priority access to these updates.
Cloudflare announced on 03/15/2022 that there would be a Free Managed WAF Ruleset for all Cloudflare Customers.
Cloudflare Pro Managed Rules Previous Version Screenshots
Here are some screenshots of the Cloudflare Managed Rules under a Pro Account





Cloudflare Pro Managed Rules New Version Screenshots




What you Need to Know Before Creating WAF Custom Rules
Here are some important points you will need to consider when create WAF Custom Rules, ensure that you consider them before proceeding.
Traffic Sequence
Understanding how traffic flows through Cloudflare servers on the edge is crucial for troubleshooting. While Cloudflare provides a helpful diagram to visualize this flow, it’s unfortunately not always easy to find. The diagram typically appears to the left of each service you’re using, serving as a reminder of when your service is engaged on the edge.
The traffic sequence diagram illustrates how your website’s traffic flows through Cloudflare’s servers on the edge. This includes the steps of a request, such as DNS resolution, SSL negotiation, caching, and more. By understanding this flow, you can identify potential issues when troubleshooting.
IP Access Rules
Always check your access rules under your account, as with IP Lists; they can be domain or account-specific. So any domains you have access to due to being a member of the account will not utilize account-specific rules.
Adding Cloudflare Rules using Expression Builder
In this guide, we’ll show you how to add Cloudflare rules using the expression builder. This powerful tool allows you to create complex rules to protect your website against a wide range of threats, including SQL injection, cross-site scripting, and more. By following our step-by-step instructions, you can easily configure the expression builder and create rules tailored to your specific needs. Below is a animated gif showing how this is done.
Cloudflare WAF Challenges
Cloudflare protects websites by challenging visitor traffic in several different situations, including:
- When a visitor’s IP address has shown suspicious behavior online, as tracked by Project Honeypot.
- When the website owner has blocked the country associated with the visitor’s IP address.
- When the visitor’s actions have triggered a firewall rule enabled by the website owner.
If a visitor passes the challenge, their request is allowed to proceed. However, if they fail the challenge, their request will be blocked to protect the website against potential threats.
Managed Challenge
Managed challenges, Cloudflare selects the appropriate type of challenge based on the characteristics of a request, reducing the need for CAPTCHAs and minimizing the impact on human users. Depending on the characteristics of a request, Cloudflare may choose to present a non-interactive challenge page, a custom interactive challenge (such as clicking a button), or Private Access Tokens (using recent Apple operating systems), among other options.
JS Challenge
JS challenges are presented to visitors as a challenge page that requires no interaction, but instead relies on JavaScript processing by the visitor’s browser. The visitor will need to wait until their browser finishes processing the JavaScript, which typically takes less than five seconds
Interactive Challenge
Interactive challenges, on the other hand, require visitors to actively engage with the challenge page by solving an interactive challenge. However, Cloudflare does not recommend using interactive challenges, as they can impact legitimate traffic and reduce the usability of your website.
You can read more about Cloudflare challenges at https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/
Locking Down your Site with Cloudflare
Attention
This guide is updated regularly, so check back frequently and reference the changelog at the bottom.
Here’s a screenshot of the typical rules you will create in the Cloudflare WAF; this rules below achieve the following.
- Block URL Queries, URLs, User Agents
- all traffic outside Canada with a JS Challenge.
Previous Cloudflare Firewall Rules Screenshot
Cloudflare WAF Custom Rules Screenshot
Multiple Expressions with “and/or” in Expression Builder
It’s important to be cautious when using multiple “and/or” expressions in a rule, as these may not always work correctly. When creating a rule that involves multiple expressions, it’s essential to test it thoroughly to ensure that it functions as expected. In some cases, creating separate rules for different conditions may be a more effective approach.
For example, if you’re trying to apply a rule that challenges traffic outside of Canada, incorporating “and/or” expressions may break the rule. Instead, it may be more effective to create a separate rule for the Challenge outside of Canada condition. By separating the conditions into individual rules, you can avoid potential conflicts and ensure that your website’s security is not compromised.
Download Rules on GitHub
You can access all the mentioned rules below in a single-page GitHub markdown document if you want to implement these rules. Please note, these may be updated more frequently than this page.
Rule 1 - Block URI Query, URL, User Agents, and IPs (Block)
Use this rule for all your blocking rules, URI Queries, URLs, User Agents and IPs. I don't have much here, except for /xmlrpc.php because we all know why.
Action: Block
(http.request.uri.path eq "/wp-content/uploads/wp-activity-log/non_mirrored_logs.json") or (http.request.uri.path eq "/xmlrpc.php")
Rule 2 - Allow URI Query, URL, User Agents, and IPs (Allow)
Use this rule to allow URI Queries, URLs, User Agents and IPs if the traffic is not catch by the Allow Good Bots #4. Unfortunately, Blogvault and WP Umbrella don't set a custom User-Agent header, so you must use their IPs. Always reference Blogvault and WP Umbrella. You can add any IPs you want to allow past the WAF to this list.
For the most part I've been using User-Agent's here instead. Granted hackers could bypass this by faking their user agents. We're more concerned about automated attacks at this point, and until hackers start faking User Agents, it's not a concern.
Action: Allow
(ip.src in {88.99.145.111 88.99.145.112 195.201.197.31 136.243.130.174 144.76.236.242 136.243.130.52 116.202.131.150 116.202.233.15 116.202.193.3 168.119.2.157 49.12.124.233 88.99.146.248 139.180.140.55 104.248.114.9 192.81.221.63 45.63.10.187 45.76.137.73 45.76.183.23 159.223.99.132 198.211.127.63 45.76.126.238 159.223.105.100 161.35.121.79 208.68.38.165 147.182.131.77 174.138.35.170 149.28.228.237 45.77.106.232 140.82.15.60 108.61.142.158 45.77.220.240 67.205.160.142 137.184.156.126 157.245.142.130 159.223.127.73 198.211.127.43 198.211.123.140 82.196.0.67 188.166.158.7 46.101.79.124 192.248.168.22 78.141.225.57 95.179.214.63 104.238.190.161 95.179.208.185 95.179.220.182 66.135.5.151 45.32.7.254 149.28.227.238 8.9.37.67 149.28.231.28 142.132.211.19 142.132.211.18 142.132.211.17 159.223.166.150 167.172.146.73 143.198.184.39 161.35.123.156 147.182.139.65 198.211.125.219 185.14.187.177 192.81.222.35 209.97.131.196 209.97.135.165 104.238.170.64 78.141.244.3 217.69.0.229 45.63.115.86 108.61.123.152 45.32.144.195 140.82.12.121 45.77.99.218 45.63.11.48 149.28.45.216 209.222.10.118 141.95.192.2})
Rule 3 - Managed Challenge /wp-admin (Managed Challenge)
Self-explanatory requires a managed challenge to access /wp-admin but allows /wp-admin/admin-ajax.php due to plugins triggering on the front end for non-logged-in users. It's been asked why Managed Challenge, and for the most part this is totally up to you, you can use whatever you like. This should really be set to Interactive Challenge if you want to force a captcha. I want to play it safe for now.
Action: Managed Challenge
(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php")
Rule 4 - Allow Good Bots and User Agent/URI/URL Query (Allow)
This rule will allow known Cloudflare good bots; some might not be good bots to you. Double-check their list at https://radar.cloudflare.com/verified-bots
I have also added some custom detection via User-Agent and URI Query. Some might think this isn't secure, and IP is the only 100% secure method. If something uses the User-Agent Better Uptime, it's a targeted attack, not automated, and there's a more significant issue.
- Shipstation
- Metorik
- Wordfence Central
- Better Uptime
Feel free to add any services you wish here.
Action: Allow
(cf.client.bot) or (http.user_agent contains "Metorik API Client") or (http.user_agent contains "Wordfence Central API") or (http.request.uri.query contains "wc-api=wc_shipstation") or (http.user_agent eq "Better Uptime Bot") or (http.user_agent eq "ShortPixel")
Rule 5 - Challenge Outside of GEO (Managed Challenge)
This rule is optional, but you can require all traffic outside of your known target geographical market to pass a challenge. This is set to JS Challenge as you want to make sure the visitor is using a browser that can process Javascript. Managed Challenge could also work.
Update - I've updated this to Managed Challenge as I believe it would be better in this case.
Action: Managed Challenge
(ip.geoip.country ne "CA")
Review and Testing
As always, review and test your Cloudflare Firewall/WAF rules. Here's a guide that talks about this specific subject.
Additional Notes
Automating Rule Setup for Multiple Domains
This is something that can be scripted via the API. I will hopefully be releasing a script to do this ๐ I have released the script and it's not 100% but it works, I will be improving it as I see fit. It's within the same Github repository as the rules, and the file name is cloudflare-wordpress-rules.s
Google Crawl Errors
If you have issues with Google crawling your site, check this troubleshooting crawl errors page from Cloudflare.
https://support.cloudflare.com/hc/en-us/articles/200169806-Troubleshooting-crawl-errors
Questions
Using Cloudflare and GridPane
We have a client who has a woocomerce site with logins and is gettting a lot of attention from unwanted traffic, I currently am using cloudflare & F2Ban (F2Ban sending IP Data to Cloudflare) as well as Gridpaine 7 Waf. Client is not happy with the user experience, real clients and at times getting Bland your banned messages, as well as the amount of complaints from users has got client worried security is to strict and turning away clients. They have also now come back with some very specific requests on how they would like the user experience to be, Eg. showing how many attempts left to try, 2FA for admin users, access to a reset password button.
Trying to work out the best way forward for all of this.
The best solution I have come up with is still using Cloudflare but upping from standard security by adding rules IE discovered this from you. Managing WP - All about Managing WordPress โ 10 Aug 22This article stems from assisting someone in the GridPane private Community Forums to lock their site to allow only specific countries and prompt a managed and then using Wordfence for firewall and 2FA along with https://www.limitloginattempts.com/ to give the user experience the Client has requested. (In description this plugin says it works with Wordfence)
Keen to hear your thoughts and the settings you whould use.
do you have a list of what settings you use in wordfence?
do you use the paid wordfence?
what settings do you use in Gridpane security when using Wordfence, 7waf off?(as dont want multiple Waf's) do you use any "additional measures" in Gridpane dash? I see Wordfence looks like it also addresses some of these.
If you decide to go with Cloudflare, turn off all GridPane security for the most part. You will want to keep some options enabled that Cloudflare wouldn't provide, anything that does on-host protection. So under the "Additional Measures," this would be what I'm speaking to. Any security measures you implement should always be performant, so GridPanes additional security will always be performant as it's implemented using the web server and not a PHP plugin, which is less performant.
The rules that I provided in that article are pretty much all you need; the rules pretty much follow this ideology.
- Block all automated attacks to /wp-admin with a managed challenge, but allow /admin-ajax.php.
- Put in a geo-location managed challenge if you service only specific markets. For instance if 100% of your customer base is in Nort America, then allow Canada and USA through and JS Challenge for the rest.
- Allow good bots based on Cloudflare's good bot rules.
- Allow specific services that you require to access your site, ahrefs, betteruptime and etc.
Automated attacks can be headless, which is a script and usually can't bypass the js and managed challenges. There is other software that you can run on a desktop/laptop computer that can bypass js and captcha challenges, the software will show the challenge and the user has to solve it and then the software can begin it's attack. You'll find these are more often used for card testing, and less for brute-force attacks.
You could also look at using Cloudflare Access to restrict access to WordPress admin backend, it's a double authentication but would help even further.
You could also still enable fail2ban here with GridPane if someone is targeting your specifically to brute force your admin login or the Limit Login Attempts plugin.
I really only use WordFence for its live patching firewall, if a plugin does have a security issue that can be actively exploited WordFence will live patch and the attack will fail. But it won't protect the site if WordFence doesn't know about the security issue. So just be aware of that, there's lots of ways a plugin with a security issue can make it onto a site, clients uploading plugins, a plugin that hasn't been updated due to a license expiring and etc.
I don't tend to enable malware scanning due to the added resources it requires. Right now, malware scanning for WordPress is inefficient; the two options available are either a plugin scanning your system or a malware scan done through a backup service where the malware scan is offloaded and done by the backup vendor on their servers. The ideal solution is that malware scanning is implemented on your hosting provider and done using an efficient scanning engine that only adds a small amount of overhead.
Security is important; ensure it's done efficiently and as uncomplicated as possible.
Changelog
- 04-06-2023
- Lots of changes to the structure and content of this article. It was patched together, so I've started to improve it further.
- Added section discussing Cloudflare WAF Custom rules replacing Cloudflare Firewall.
- Added section discussing Cloudflare WAF Managed Rules for Free and Pro
- Lots of updates, too many to list.
- 08-10-2022 - Improved rules overall, condensed rules and labelled them appropriately.
- 08-11-2022
- Fixed issue with an animated GIF showing how to drag and drop rules.
- Added a quote on how to use Cloudflare ordering and priority.
- Added "Google Crawl Errors" section
- Added Github repository for rules.
- 08-25-2022 - Blocked xmlrpc.php
Cloudflare Firewall Rules is part of a larger evaluation chain for HTTP requests, as illustrated in the diagram below. For example, Firewall Rules only evaluates requests that first clear IP Access rules. If a request is blocked by a rule at any stage in the chain, Cloudflare does not evaluate the request further.
https://developers.cloudflare.com/firewall/cf-firewall-rules/order-priority/#overview