Protect your WordPress Site with CloudFlare Firewall Rules

I am gonna explain how to protect your WordPress site with CloudFlare Firewall Rules so you don’t have to worry about installing security plugins.

CloudFlare Firewall Rules are custom rules that you can create to protect certain parts and files of your website.

If you have a content site likes mine, creating CloudFlare Firewall Rules will secure better than some WordPress Security plugins do.

How to Protect PHP Files using CloudFlare

You site must have been added to CloudFlare at this point so you can apply these security measures.

Go to your site on CloudFlare and then go to the Firewall Tab and then go to Firewall Rules

There you will find that you can create up to five CloudFlare Firewall Rules for free

We don’t have CloudFlare Firewall Rules in this domain yet but it is pretty obvious where you have to click to create your first rule.

Take this into account:

  • The rule name can be whatever you want
  • There are plenty of options to choose from the “Field” dropdown menu, choose URI Path.
  • In Operator, choose “Contains”
  • In Value, write .php
  • And in action choose “Block”

This is how your CloudFlare Firewall rule should look:

The rule says that every time a request with the words .php is made, the visitor will get blocked.

This rule is protecting your default login pages, the wp-config file, the xmlrpc file and the rest of existing and non-existing files in your WordPress sites.

You can create the rule and let it work and see the request it blocked.

Whitelisting your IP Address

Since that rule blocks your default login page, you have to whitelist your IP address to make sure you and others don’t get blocked by it.

Add your IP address, allow it and make sure this applies to all websites in your account and give this IP access rule any name that you want.

Also give the same treatment to your server IP address. It might need to be whitelisted or not but do it anyways. You are not gonna get those seconds back but it is only a few seconds.

If your home IP changes, do the process again and add your new home IP address.

Creating More Rules

You can create more rules to discourage bots from visiting your site but you have to figure that out yourself.

I don’t know what hackers and bots are looking for on your WordPress sites.

These are my rules, I call this “Super Firewall” since it works for me.

(http.request.uri.path contains ".php") or (http.request.uri.path contains ".zip") or (http.request.uri.path contains ".rar") or (http.request.uri.path contains ".bak") or (http.request.uri.path contains ".bat") or (http.request.uri.path contains ".htacc") or (http.request.uri.path contains ".htpas") or (http.request.uri.path contains ".pass") or (http.request.uri.path contains ".cmd") or (http.request.uri.path contains ".mdb") or (http.request.uri.path contains ".cfg") or (http.request.uri.path contains ".git") or (http.request.uri.path contains ".hg") or (http.request.uri.path contains ".out") or (http.request.uri.path contains ".swp") or (http.request.uri.path contains ".sql") or (http.request.uri.path contains ".exe") or (http.request.uri.path contains ".ini") or (http.request.uri.path contains ".dll") or (http.request.uri.path contains ".git") or (http.request.uri.path contains ".tar") or (http.request.uri.path contains ".bash") or (http.request.uri.path contains ".cgi") or (http.request.uri.path contains ".asp") or (http.request.uri.path contains ".jsp") or (http.request.uri.path contains ".PHP") or (http.request.uri.path contains ".PhP") or (http.request.uri.path contains ".gz") or (http.request.uri.path contains ".dat") or (http.request.uri.path contains ".tgz") or (http.request.uri.path contains ".7z") or (http.request.uri.path contains ".bz2") or (http.request.uri.path contains ".env") or (http.request.uri.path contains "/login") or (http.request.uri.path contains "/admin") or (http.request.uri.path contains "register") or (http.request.uri.path contains "account") or (http.request.uri.query contains "?author") or (http.request.uri.path contains "dashboard") or (http.request.uri.path contains "new-site") or (http.request.uri.path contains "old-site") or (http.request.uri.path contains "cms") or (http.request.uri.path contains "old-wp") or (http.request.uri.path contains "upload_file") or (http.request.uri.path contains "vuln.htm") or (http.request.uri.path contains "FCKeditor") or (http.request.uri.path contains "graphql") or (http.request.uri.path contains "allowurl") or (http.request.uri.path contains "null") or (http.request.uri.path contains "trackback") or (http.request.uri.path contains "humans.txt") or (http.request.uri.path contains "/localhost") or (http.request.uri.path contains "var/log") or (http.request.uri.path contains "security.txt") or (http.request.uri.path contains "database") or (http.request.uri.path contains "ftp") or (http.request.uri.path contains "xxxss") or (http.request.uri.path contains "bak") or (http.request.uri.path contains "bk") or (http.request.uri.path contains "tmp") or (http.request.uri.path contains "changelog") or (http.request.uri.path contains "debug") or (http.request.uri.path contains "download") or (http.request.uri.path contains "undefined") or (http.request.uri.path contains "/https:/") or (http.request.uri.path contains "dbweb") or (http.request.uri.path contains "xampp") or (http.request.uri.path contains "PMA") or (http.request.uri.path contains "pma") or (http.request.uri.query contains "pubkey") or (http.request.uri.query contains "/blank") or (http.request.uri.path contains "staging") or (http.request.uri.path contains "magento") or (http.request.uri.path contains "2018/wp") or (http.request.uri.path contains "2019/wp") or (http.request.uri.path contains "site/wp") or (http.request.uri.path contains "/demo/wp") or (http.request.uri.path contains "/old/wp") or (http.request.uri.path contains "/portal") or (http.request.uri.path contains "drupal.js") or (http.request.uri.path contains "/v1/wp") or (http.request.uri.path contains "/dev") or (http.request.uri.path contains "/wallet") or (http.request.uri.path contains "/mariadb") or (http.request.uri.path contains "/db") or (http.request.uri.path contains "/oldsite")

You can create a rule and then copy and paste the expression from above using the “Expression builder” option.

You can add it, deploy and get rid of the stuff that might block stuff your site visitors might need.

As far as I know, real visitors are not looking for those kind of things. If you have a content site, I don’t see why somebody would visit links containing those words.

In the overview tab, you can see who is getting blocked by the rule.

Conclusion

I hope this has been really useful. If you still want to use a security, use one which is really light and follow other common security measure.

No security measure will protect you 100% if you make stupid mistakes regarding the security of your WordPress site.

If you use nulled plugins and if your computer is full of illegal software. You might get what you deserve sooner or later.

If you have a horrible hosting provider, you can get what you paid for sooner or later.

Sobre Jose manuel

Soy José Manuel, empecé un blog en el 2011 como un pasatiempo y para hacerlo en mis clases y poco a poco, me enamoré de WordPress. Espero que algo de todo lo que he escrito te sirva de ayuda.

RevistaWP

RevistaWP es un sitio donde registro mis pensamientos y descubrimientos sobre todo lo que sucede dentro del mundo WordPress.

Puedes encontrar contenido en Inglés y Español

Contacto

Puedes contactarme por medio de los siguientes canales