Essential Cloudflare WAF Rules for WordPress
Like you, I hate dealing with WordPress spam. Here are the two Cloudflare WAF rules that I use on all of my client’s WordPress websites. Note: I did source these rules/settings from a few websites I found, I just combined them into one rule.
Select the domain in your Cloudflare account, choose Security in the sidebar and then WAF.
Click the blue “Create rule” button.
WP Base Security
The first rule I call “Base WP Security”.
Here is the expression you can use, copy and paste it into the “Use expression builder” field.
(cf.threat_score gt 0) or (ip.geoip.country ne “US” and http.request.uri.path contains “/wp-login”) or (http.request.uri contains “/wp-admin/admin-ajax.php” and http.request.method eq “POST” and not http.referer contains “DOMAIN.COM”) or (http.request.uri contains “/wp-comments-post.php” and http.request.method eq “POST” and not http.referer contains “DOMAIN.COM”) or (http.user_agent contains “ninja”) or (http.user_agent contains “attackbot”) or (http.user_agent contains “backdorbot”)
Under “Then take action…” select “Block” and then click the blue “Save as Draft button”
It’ll kick you out of the rule but just click on the newly created rule to open it.
Change the “DOMAIN.COM” to the primary domain of the WordPress website.
If you live outside of the US, change the Country to whereever you need. (This part of the rule blocks access to the WP Login form from every country except for the selected country.)
Click the blue “Deploy” button to activate the rule. This rule will block bad actors and bots from accessing your WordPress website including the login form and comment forms.
Challenge WP Login
The next rule we are going to make will present a challenge to anyone accessing the WP Login form.
Follow the same steps as before to create a new rule and name this one “Challenge WP Login”
Here is the expression you can use:
(http.request.uri.path contains “/wp-login.php”)
Set the “Then take action…” to Managed Challenge.
Deploy this rule and make sure to move the rule below the “WP Base Security” rule to ensure we are still blocking access to the login.