Important Notice
Before applying any security changes, including Cloudflare firewall rules, thoroughly test your website to ensure it continues functioning as expected.
Introduction
Cloudflare provides a practical and user-friendly solution for securing WordPress websites by filtering traffic, protecting endpoints, and mitigating attacks. It also offers a one-click DDoS protection option, which can be crucial during a cyber attack.
With the free Cloudflare plan, you can set up five custom firewall rules, so it is essential to choose the most effective ones based on your specific security needs.
This guide categorizes firewall rules into four main areas:
- Restricting access to sensitive WordPress endpoints
- Preventing spam in contact forms and comments
- Blocking malicious bots
- Limiting access by country or region
Cloudflare’s proxy must be enabled on your website’s A and CNAME records to ensure these rules function correctly.
How to Create a Cloudflare Firewall Rule
- Log into Cloudflare and select your website.
- Go to Security > WAF (Web Application Firewall).
- Click “Create a Firewall Rule” and configure the settings based on the recommendations below.
Rule Consolidation
Cloudflare allows multiple conditions within a single rule. Similar security rules should be merged whenever possible to save space for future regulations.
1. Restricting Access to WordPress Endpoints
Attackers often target wp-login.php, wp-admin, xmlrpc.php, and wp-content directories to gain unauthorized access or exploit vulnerabilities. Restricting these endpoints significantly reduces security risks.
Mass Lockdown of Key Endpoints
This rule blocks direct access to xmlrpc.php, /wp-content/, and /wp-includes/ to prevent unauthorized use.
Steps to Implement
- Create a new Firewall Rule in Cloudflare.
- Set the conditions:
- Field: URI Path → Operator: Contains → Value: /xmlrpc.php
- Field: URI Path → Operator: Contains → Value: /wp-content/
- Field: URI Path → Operator: Contains → Value: /wp-includes/
- Field: Referer → Operator: Does not contain → Value: yourwebsite.com
- Deploy the rule to activate protection.
If your website hosts downloadable files (e.g., PDFs) in /wp-content/, create an exception rule to allow access to those specific files.
Restricting Access to /wp-admin/ and /wp-login.php
To prevent unauthorized logins, restrict these critical areas to specific IP addresses or a particular country.
Steps to Implement
- Create a new Firewall Rule in Cloudflare.
- Define the restrictions:
- Field: URI Path → Operator: Contains → Value: /wp-login.php
- Field: IP Source → Operator: Not Equal → Value: your_admin_ip
- Field: URI Path → Operator: Contains → Value: /wp-admin/
- Field: URI Path → Operator: Not Equal → Value: /wp-admin/admin-ajax.php
- Deploy the rule to restrict unauthorized access.
If your team works from multiple locations, consider using Cloudflare’s “Tools” section to whitelist trusted IP addresses instead of hardcoding them in firewall rules.
2. Preventing Spam (Contact Forms & Comments)
Spam is common in WordPress sites, often appearing in contact forms and comments. Cloudflare’s firewall can block automated spam bots before they reach your website.
Blocking Contact Form Spam
Since many spam bots use older HTTP protocols, filtering them can significantly reduce unwanted form submissions.
Steps to Implement
- Create a new Firewall Rule in Cloudflare.
- Set the conditions:
- Field: HTTP Request Version → Operator: In → Values: HTTP/1.0, HTTP/1.1, HTTP/1.2
- Field: URI Path → Operator: Equals → Value: /contact/
- Exclude trusted search engine bots (Googlebot, Bingbot, etc.)
- Deploy the rule to filter out bot-generated spam.
Preventing Comment Spam
Spam bots often target wp-comments-post.php to flood websites with automated messages.
Steps to Implement
- Create a new Firewall Rule in Cloudflare.
- Set the conditions:
- Field: URI Path → Operator: Contains → Value: /wp-comments-post.php
- Set the action to: Managed Challenge or JavaScript Challenge.
- Deploy the rule to activate spam protection.
Unlike contact form spam, comment spam bots cannot bypass Cloudflare’s JavaScript Challenge, making this method highly effective.
3. Blocking Malicious Bots
Some bots scrape website content, consume server resources, or attempt brute-force attacks. Cloudflare allows blocking bots based on their user agent.
Steps to Implement
- Create a new Firewall Rule in Cloudflare.
- Set the conditions:
- Field: User-Agent → Operator: Contains → Value: [Name of bot]
- Repeat for multiple bots using the OR option.
- Deploy the rule to filter harmful bot traffic.
If you use 7G Web Application Firewall (WAF), many bad bots are already blocked at the server level.
4. Restricting Access Based on Geography
If your business serves only specific regions, blocking traffic from other countries can reduce spam, brute-force attempts, and bot activity.
Steps to Implement
- Create a new Firewall Rule in Cloudflare.
- Set the conditions:
- To allow only specific countries:
- Field: Country → Operator: Is In → Value: [Allowed countries]
- To block specific countries:
- Field: Country → Operator: Is Not In → Value: [Blocked countries]
- To allow only specific countries:
- Deploy the rule to activate geographical filtering.
Be cautious when implementing country-based blocking, as it might inadvertently block your hosting provider or support team from accessing the site.
