In this article, we are going to explain how you can protect your WordPress website or any website for that matter using Cloudflare Firewall Rules.
What is Cloudflare Firewall Rules?
Cloudflare Firewall Rules is a firewall offered by Cloudflare which is a powerful and flexible security tool to filter website traffic.
Cloudflare Firewall Rules is available for all Cloudflare plans; the free plan can have up to 5 active Firewall Rules.
A Firewall Rule is made up of two parts:
- Matching: A defined filter that runs and match your traffic for a string or pattern
- Action: the action perform on the matched traffic (block, challenge, captcha, allow)
You can also order the firewall rules to override the default sequence which is based on the rule’s action.
Firewall Rules: Matching
Firstly, we have ‘Matching’. With this, you can match traffic to the HTTP request which includes options such as country, hostname, IP Address, URI, referrer, known bots, threat score and various other options.
Known bots (cf.client.bot) is a Cloudflare defined list of known good bots, which includes bots from Google, Apple, Bing, Linkedin, Pingdom, and Yahoo. You are recommended to add cf.client.bot in an Allowed rule to avoid blocking good crawlers which could affect your SEO and monitoring.
Cloudflare also has it’s own algorithm to calculate an IP Addresses reputation and assigns a value of the threat score which ranges from 0 to 100. This is used for Security Level settings under the Firewall which works as follows:
- High – for scores greater than 0
- Medium – for scores greater than 14
- Low – for scores greater than 24
- Essentially Off – for scores greater than 49
Regular Expression matching is supported for Cloudflare Business and Enterprise plans.
Firewall Rules: Action
With this, you can set to perform an action to filter matched traffic.
- Block: the traffic is blocked to reach your web application.
- JS Challenge: JavaScript challenge. Visitors do not have JavaScript support (mostly bots) will be blocked.
- Challenge (Captcha): Visitor is required to pass a captcha challenge to allow access.
Allow: Traffic is allowed to reach your web application.
Accessing Cloudflare’s Firewall Rules
Through the dashboard, you can set up all your desired rules, to do this, follow these steps:
- Login your Cloudflare dashboard
- Select the domain name you want to configure Firewall Rules
- Click Firewall from the tools at the top
- Click Firewall Rules
- Create a new Firewall Rule
- Search and filter the list of existing rules
- See a list of existing rules (active and paused)
- Activate or pause rules (turn on or off)
- Edit a rule
- Delete a rule
Here are some page rules you can use to protect your Website
Block certain Countries from visiting your website
Expression Editor:
(ip.geoip.country eq "RU") or (ip.geoip.country eq "HK")
In our example, we are going to block Russia and Hong Kong. You can add as many countries as you wish and then click the ‘OR’ button to add additional countries. You could for example block all countries except the United States for example, in which case we would just change the operator to does not equal and then set United States as the value.
WordPress Security
Expression Editor:
((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php"))
This Firewall Rule will challenge all visitors that try to access WordPress xmlrpc.php, wp-login.php, and /wp-admin (except admin-ajax.php and theme-editor.php). A simple rule like this could block most hack attempts to your WordPress website.
Block bad spam bots using Expression Editor
Expression Editor:
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)
This will create a long list of bots to block. It will block any non-known good bots traffic with a user agent that contain strings such as ‘crawl’, ‘bot’, ‘spider’, and a few other user agents.
Here we add the Firewall rule using the Expression Editor as shown above.
To do this, follow these steps:
- Click Create a Firewall Rule
- Give a Rule Name
- Click Edit expression
- Copy & Paste the expression into the text area
- Select Block action
- Click Deploy to activate the Firewall rule
Block and Challenge users with a certain Threat Score
We mentioned about threat score before, what we can do here is add a rule to challenge users with a threat score (let’s say above 10). Then we can block users with a threat score above 20 for example.
To do this, we would have to create two different rules as shown below. Firstly, we will create the rule to challenge users with a threat score of equal or greater than 10:
Expression Editor:
(cf.threat_score ge 10)
Secondly, we will block users with a threat score of greater than or equal to 20:
(cf.threat_score ge 20)
Checking your Cloudflare Firewall Rules
You can check your Firewall Rules by going to the Firewall Event Log (Firewall > Events), which will list the firewall events (allow, challenge, block) and their details.
Take note on the challenged and blocked events. You do not want to mistakenly block good traffic because of a wrongly configured Firewall rule.
Conclusion
From this, we have learned what a CloudFlare Firewall Rule is and how to configure it to filter traffic and protect your website. We have also gone through how the Expression Editor works for writing more complex firewall rules.
We sure hope you have found this tutorial useful. If you have any further suggestions for Firewall Rules, do let us know. If you need any assistance with this then get in touch by dropping a comment below.