Common WordPress Cloudflare WAF (Web Application Firewall) Rules

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!


If you’re using Cloudflare’s WAF, then you’ve probably got a good amount of rules already setup or maybe just one. The following article provides a number of common Cloudflare WAF (Web Application Firewall) rules that you can use on your site.

Please Read Before you Deploy Any WAF Rules

  1. The following rules have been tested individually and combined with other rules successfully. However, you may encounter problems with the below rules due to a number of circumstances. Always test the following rules with no other rules enabled and an or/and conditions.
  2. Make sure that you utilize the Security->Events log when troubleshooting your rules.
  3. If you wish to receive support on any of these rules. Please utilized our forum at

Managing WP’s Common WordPress Cloudflare Rules

Below is Managing WP’s list of WordPress Cloudflare Rules that we’ve collected over the years. We will credit ones that we’ve found by other authors, if you see your rule and it’s not credited, please reach out.



You can block xmlrc.php request quite easily with the below rule. However, be aware that you will want to consider combining all your block rules together in a single rule. Otherwise you might hit the 5 rule limitation really quick.

(http.request.uri.path eq “/xmlrpc.php”) 

WordPress Mobile App

If you’re blocking xmlrpc.php because of attackers, but want to allow the use of the WordPress mobile app. Then you can add the following to your allow rule.

(http.user_agent contains "wp-iphone") or (http.user_agent contains "wp-android")


  • 11-15-2023 – Initial blog post.

You May Also Like