Table of Contents
Content Error or Suggest an Edit
- Rant, Cloudflare Bot Fight Mode doesn’t provide firewall bypass or whitelist?
- Using Cloudflare Without Changing your Name Servers
- Cloudflare 520 Errors Explained and Investigated
- Secure, Protect and Lock Down your WordPress site with Cloudflare Custom WAF Rules (was Firewall Rules)
- Protecting the WordPress Admin Login with Cloudflare
- Testing and Reviewing Cloudflare Firewall and WAF Rules
- Common WordPress Cloudflare WAF (Web Application Firewall) Rules
If you’re using Cloudflare’s WAF, then you’ve probably got a good amount of rules already setup or maybe just one. The following article provides a number of common Cloudflare WAF (Web Application Firewall) rules that you can use on your site.
- The following rules have been tested individually and combined with other rules successfully. However, you may encounter problems with the below rules due to a number of circumstances. Always test the following rules with no other rules enabled and an or/and conditions.
- Make sure that you utilize the Security->Events log when troubleshooting your rules.
- If you wish to receive support on any of these rules. Please utilized our forum at https://forums.managingwp.io/c/technical-topics/cloudflare/20
Below is Managing WP’s list of WordPress Cloudflare Rules that we’ve collected over the years. We will credit ones that we’ve found by other authors, if you see your rule and it’s not credited, please reach out.
You can block xmlrc.php request quite easily with the below rule. However, be aware that you will want to consider combining all your block rules together in a single rule. Otherwise you might hit the 5 rule limitation really quick.
(http.request.uri.path eq “/xmlrpc.php”)
If you’re blocking xmlrpc.php because of attackers, but want to allow the use of the WordPress mobile app. Then you can add the following to your allow rule.
(http.user_agent contains "wp-iphone") or (http.user_agent contains "wp-android")
- 11-15-2023 – Initial blog post.