Secure, Protect and Lock Down your WordPress site with Cloudflare Firewall and WAF Rules

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Attention – Always Test!

Make sure you test your Cloudflare rules after implementation, as they can block some services such as backups, monitoring and management services. Also, make sure to use a VPN to test country blocks.

What this guide will cover.

This article stems from assisting someone in the GridPane private Community Forums to lock their site to allow only specific countries and prompt a managed challenge to the rest of the world. Since I had already done this for a site I manage, I provided all the rules and was able to help this individual with their issue.

Cloudflare WAF Rules

In this guide, we will focus on using the Cloudflare WAF rules. Now with the Cloudflare Free Plan, you get five free rules; with the Cloudflare Pro Plan, you get 20, so you will need to get creative with your rules if you’re on the free plan.

The Cloudflare Firewall Order and Priority

As the title says, there is an order and priority within the Cloudflare Firewall. Here are some excerpts from the Cloudflare Firewall Rules Order Priority page.

Cloudflare Firewall Rules is part of a larger evaluation chain for HTTP requests, as illustrated in the diagram below. For example, Firewall Rules only evaluates requests that first clear IP Access rules. If a request is blocked by a rule at any stage in the chain, Cloudflare does not evaluate the request further.

You can use IP Access rules to allowlist requests under certain conditions, effectively excluding these requests from all security checks. However, allowing a given country code will not bypass WAF Managed Rulesets or WAF managed rules (previous version)Open external link.

The execution order diagram does not include products powered by the Ruleset Engine like the WAF or Transform Rules.

Keep this diagram in mind when you’re troubleshooting as you may find that your firewall rule might be correct, but there is an IP Access Rule or Rate Limiting Rule in place affecting traffic.

Cloudflare Firewall List Order and Rule Evaluation

Cloudflare’s firewall rules are in list order; they’re evaluated in the order they appear in the firewall rules list. You can drag and drop them into order as needed. Here is a nifty gif from the same page on Cloudflare’s Developer’s site.

You can change the options for rule evaluation from the default “Order” which is drag and drop, to “Priority” by clicking the “Ordering” button on the right.

Drag and Drop vs Priority Ordering

I don’t like taking something already written well, so here are some quotes from Cloudflare about Drag and Drop vs Priority Ordering.

By default, Cloudflare evaluates firewall rules in list order, where rules are evaluated in the order they appear in the firewall rules list. List ordering is convenient when working with small numbers of rules because you can manage their order by dragging and dropping them into position. However, as the number of rules grows, managing rules in list order becomes difficult. This is where priority order comes into play.

When priority ordering is enabled, Cloudflare evaluates firewall rules in order of their priority number, starting with the lowest. If a request matches two rules with the same priority, action precedence is used to resolve the tie. In this case, only the action of the rule with the highest precedence is executed, unless that action is Log or Bypass (refer to Firewall rules actions for details). Priority ordering makes it a lot easier to manage large numbers of firewall rules, and once the number of rules passes 200, Cloudflare requires it.

Traffic Sequence

Unfortunately, Cloudflare hides this little diagram, usually to the left of each service you’re within as a reminder of when your service is engaged on the edge. But it shows a better idea of how traffic flows through Cloudflare servers on the edge.

Additional Features to Consider

IP Lists

You can use IP Lists, which helps create large lists of IP Addresses. However, they’re account specific and won’t work on domains that you’re a member of

IP Access Rules

Always check your access rules under your account, as with IP Lists; they can be domain or account-specific. So any domains you have access to due to being a member of the account will not utilize account-specific rules.

How to Add Cloudflare Rules

The following video section will show you how to add the Cloudflare rules below.

Locking Down your Site with Cloudflare


This guide is updated regularly, so check back frequently and reference the changelog at the bottom.

Here’s a screenshot of the typical rules you will create in the Cloudflare WAF; this site blocks all traffic outside Canada with a JS Challenge.

Multiple Expressions with “and/or”

You don’t always want to have a rule using multiple “and/or” expressions as these will not always work correctly. I’m still not 100% why this is, hence why you see the Challenge outside of Canada as a separate rule. Trying to incorporate “and/or” breaks the rule.

GitHub List of Rules

You can access all the mentioned rules below in a single-page GitHub markdown document if you want to implement these rules.

Rule 1 - Block URI Query, URL, User Agents, and IPs (Block)

Use this rule for all your blocking rules, URI Queries, URLs, User Agents and IPs. I don't have much here.

Action: Block

(http.request.uri.path eq "/wp-content/uploads/wp-activity-log/non_mirrored_logs.json") or (http.request.uri.path eq "/xmlrpc.php")

Rule 2 - Allow URI Query, URL, User Agents, and IPs (Allow)

Use this rule to allow URI Queries, URLs, User Agents and IPs. I don't have much here.

Unfortunately, Blogvault and WP Umbrella don't set a custom User-Agent header, so you must use their IPs. Always reference Blogvault and WP Umbrella. You can add any IPs you want to allow past the WAF to this list.

Action: Allow

(ip.src in {})

Rule 3 - Managed Challenge /wp-admin (Managed Challenge)

Self-explanatory requires a managed challenge to access /wp-admin but allows /wp-admin/admin-ajax.php due to plugins triggering on the front end for non-logged-in users.

Action: Managed Challenge

(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php")

Rule 4 - Allow Good Bots and User Agent/URI/URL Query (Allow)

This rule will allow known Cloudflare good bots; some might not be good bots to you. Double-check their list at

I have also added some custom detection via User-Agent and URI Query. Some might think this isn't secure, and IP is the only 100% secure method. If something uses the User-Agent Better Uptime, it's a targeted attack, not automated, and there's a more significant issue.

  • Shipstation
  • Metorik
  • Wordfence Central
  • Better Uptime

Feel free to add any services you wish here.

Action: Allow

( or (http.user_agent contains "Metorik API Client") or (http.user_agent contains "Wordfence Central API") or (http.request.uri.query contains "wc-api=wc_shipstation") or (http.user_agent eq "Better Uptime Bot") or (http.user_agent eq "ShortPixel")

Rule 5 - Challenge Outside of GEO (JS Challenge)

This rule is optional, but you can require all traffic outside of your known target geographical market to pass a challenge.

Action: JS Challenge

( ne "CA")

Review and Testing

As always, review and test your Cloudflare Firewall/WAF rules. Here's a guide that talks about this specific subject.

Additional Notes

Automating Rule Setup for Multiple Domains

This is something that can be scripted via the API. I will hopefully be releasing a script to do this 🙂

Google Crawl Errors

If you have issues with Google crawling your site, check this troubleshooting crawl errors page from Cloudflare.


I will be updating this regularly to add more information 🙂 Please comment if you see an error or have a suggestion.


Using Cloudflare and GridPane

We have a client who has a woocomerce site with logins and is gettting a lot of attention from unwanted traffic, I currently am using cloudflare & F2Ban (F2Ban sending IP Data to Cloudflare) as well as Gridpaine 7 Waf. Client is not happy with the user experience, real clients and at times getting Bland your banned messages, as well as the amount of complaints from users has got client worried security is to strict and turning away clients. They have also now come back with some very specific requests on how they would like the user experience to be, Eg. showing how many attempts left to try, 2FA for admin users, access to a reset password button.

Trying to work out the best way forward for all of this.
The best solution I have come up with is still using Cloudflare but upping from standard security by adding rules IE discovered this from you. Managing WP - All about Managing WordPress – 10 Aug 22

This article stems from assisting someone in the GridPane private Community Forums to lock their site to allow only specific countries and prompt a managed and then using Wordfence for firewall and 2FA along with to give the user experience the Client has requested. (In description this plugin says it works with Wordfence)

Keen to hear your thoughts and the settings you whould use.
do you have a list of what settings you use in wordfence?
do you use the paid wordfence?
what settings do you use in Gridpane security when using Wordfence, 7waf off?(as dont want multiple Waf's) do you use any "additional measures" in Gridpane dash? I see Wordfence looks like it also addresses some of these.

If you decide to go with Cloudflare, turn off all GridPane security for the most part. You will want to keep some options enabled that Cloudflare wouldn't provide, anything that does on-host protection. So under the "Additional Measures," this would be what I'm speaking to. Any security measures you implement should always be performant, so GridPanes additional security will always be performant as it's implemented using the web server and not a PHP plugin, which is less performant.

The rules that I provided in that article are pretty much all you need; the rules pretty much follow this ideology.

  1. Block all automated attacks to /wp-admin with a managed challenge, but allow /admin-ajax.php.
  2. Put in a geo-location managed challenge if you service only specific markets. For instance if 100% of your customer base is in Nort America, then allow Canada and USA through and JS Challenge for the rest.
  3. Allow good bots based on Cloudflare's good bot rules.
  4. Allow specific services that you require to access your site, ahrefs, betteruptime and etc.

Automated attacks can be headless, which is a script and usually can't bypass the js and managed challenges. There is other software that you can run on a desktop/laptop computer that can bypass js and captcha challenges, the software will show the challenge and the user has to solve it and then the software can begin it's attack. You'll find these are more often used for card testing, and less for brute-force attacks.

You could also look at using Cloudflare Access to restrict access to WordPress admin backend, it's a double authentication but would help even further.

How to Use Cloudflare Zero Trust For WordPress Login Pages
These are the steps for protecting your WordPress login page using Cloudflare Zero Trust and eliminate login spam once and for all.

You could also still enable fail2ban here with GridPane if someone is targeting your specifically to brute force your admin login or the Limit Login Attempts plugin.

I really only use WordFence for its live patching firewall, if a plugin does have a security issue that can be actively exploited WordFence will live patch and the attack will fail. But it won't protect the site if WordFence doesn't know about the security issue. So just be aware of that, there's lots of ways a plugin with a security issue can make it onto a site, clients uploading plugins, a plugin that hasn't been updated due to a license expiring and etc.

I don't tend to enable malware scanning due to the added resources it requires. Right now, malware scanning for WordPress is inefficient; the two options available are either a plugin scanning your system or a malware scan done through a backup service where the malware scan is offloaded and done by the backup vendor on their servers. The ideal solution is that malware scanning is implemented on your hosting provider and done using an efficient scanning engine that only adds a small amount of overhead.

Security is important; ensure it's done efficiently and as uncomplicated as possible.


  • 08-10-2022 - Improved rules overall, condensed rules and labelled them appropriately.
  • 08-11-2022
    • Fixed issue with an animated GIF showing how to drag and drop rules.
    • Added a quote on how to use Cloudflare ordering and priority.
    • Added "Google Crawl Errors" section
    • Added Github repository for rules.
  • 08-25-2022 - Blocked xmlrpc.php
You May Also Like