fbpx
How to Use Cloudflare Firewall Rules to Protect Your Websites
July 27, 2021

In this article, we will discuss how to use Cloudflare firewall Rules to protect your web application. Cloudflare has been protecting websites from DDoS attacks and providing performance improvements to websites for nearly a decade.

Now they are offering security features and tools to make your server and website more secure.

What is Firewall?

A firewall is a network security device that monitors incoming and outgoing network traffic and allows or blocks data packets based on a set of security rules.

What Are Cloudflare Firewall Rules? 

Cloudflare Firewall Rules are a great way to filter HTTP requests. Cloudflare inspects and filters HTTP requests. This firewall is a powerful tool for blocking hackers. It’s also very popular with the security industry because it’s fast and flexible.

Firewall Rules are completely integrated with existing Cloudflare tools. Firewall Rules allow users to create rules that inspect incoming traffic and block, challenge, log, or allow specific requests. It gives you complete control of which requests can reach your web application thus giving you complete peace of mind.

Cloudflare Firewall Rules

Cloudflare Firewall Rules offer power and flexibility by inspecting HTTP traffic and applying custom criteria to block, challenge, log, or allow certain requests.

Cloudflare Firewall Rules are made up of two main functionalities:

  1. Matching
  2. Actions
Matching

Matching lets you define a filter to precisely match your traffic. It lets you filter out any kind of traffic to your website. You can block certain countries, redirect visitors to a location-specific page, or filter out particular IP addresses.

Actions

Actions tell Cloudflare how to handle HTTP requests that have matched a firewall rule expression and tell Cloudflare what to do when the certain filter is triggered.

Various examples of how you can use Cloudflare Firewall Rules

Let’s discuss some basic examples of how you can use Cloudflare rules and protect your website against online attacks.

  1. Secure your WordPress site with captcha
  2. Block Access to XMLRPC.php
  3. How to block particular countries from visiting your site
  4. How to prevent bad bot traffic from coming to your site
  5. How to block a particular continent from visiting your site
  6. Show a captcha message on any page
  7. Protect WordPress Admin (wp-admin) area

How to access Firewall Feature in Cloudflare

Before moving forward, let see how you can reach the Firewall option inside Cloudflare.

You have to log in to your Cloudflare account and select the domain for which you want to enable these rules. Once logged in we can proceed further.

Click here and provide your credentials to log in.

Cloudflare login

You can see this dashboard after login, from this window select the domain (this window design may slightly change later)

Cloudflare websites

Now from the top bar, click on the Firewall button and then on Firewall Rules.

Cloudflare Firewall

Here on this screen, we have a Create a Firewall Rule button. Click on this and you can add a new firewall rule, view any rule, activate any rule, deactivate any rule, update any rule and delete any firewall rule.

Cloudflare Firewall Rules

Note: Cloudflare also offers Manager Rules, these rules are created and managed by the Cloudflare team but they are not available on the Free plan, so if you don’t have much time, you can upgrade your plan and use Cloudflare managed Firewall Rules.

We will now discuss some examples of how we can create basic rules and secure our websites.

Secure your WordPress site with a Captcha

The Captcha test is one way to distinguish human from machine/robots input.

Now we will see how to secure your WordPress site with a rule to add captcha infront of your site,

If you have followed the procedure above, you will be on Create Firewall Rule window now click on the Edit expression.

Cloudflare Firewall Rules

You can see the editor screen. In the Expression Editor field paste the following:

((http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains ” /wp-admin/theme-editor.php”)) and ip.geoip.country ne “US”

After that, From the drop-down action select Challenge (captcha) to enable captcha on your WordPress site and press Deploy.

Cloudflare Firewall Rules edits

Block access to XMLRPC.php

XMLRPC is part of the old WordPress API and is not being actively used these days.

If you never publish from anywhere but directly in the WordPress admin, you are fine to disable XML-RPC. You can learn more about this here.

Note: The above rule will also take care of disabling access to XMLRPC.php but if you don’t want to use captcha, you can create this rule individually to block access to XMLRPC.php.

If you have followed the procedure above, you will be on Create Firewall Rule window now click on the Edit expression.

xmlrpc.php

You can see the editor screen. In the Expression Editor field paste the following:

(http.request.uri.path contains “/xmlrpc.php”)

This time you should choose Block from the Choose an action drop-down and click on the Deploy button.

Block through firewall

How to block particular countries from visiting your site

You can block one country or many as you want. You can also allow access to your website to only one country. As an example In this article, I will block all countries except Canada).

We need the following information to provide in order to apply this feature.

  1. Rule Name: Enter rule name according to your choice.
  2. Field: From the drop-down, choose Country. 
  3. Operator: From the drop-down, choose does not equal. 
  4. Value: From the drop-down, choose Canada.
  5. In the last section from action drop-down, select Block, and then click on the blue Deploy button.
Cloudflare Firewall Rules block page

How to prevent bad bot traffic from coming to your site

Bad bots are malicious software programs that perform a number of fraudulent practices. For example, they might run online ad scams, download malware onto your computer, or steal your credit card information. About 40% of internet traffic is generated by bad bots.

Now we will see how to block bad bot traffic from coming to your site

If you have followed the procedure above, you will be on Create Firewall Rule window now click on the Edit expression.

This image has an empty alt attribute; its file name is image-288-1024x478.png

You can see the editor screen. In the Expression Editor field paste the following:

(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)

This time you should choose Block from the Choose an action drop-down and click on the Deploy button.

Set Known Bots

When setting bot traffic using Cloudflare, be sure to consider known bots as well. Popular know bots are Ashraf (SEO Tool), apple, being, google, Linkedin, etc.
So make sure that you don’t block Known bots.

How to block a particular continent from visiting your site:

You can block continents from visiting your website. You can also allow access to your website to only one continent. As an example In this article, I blocked the Asian continent from visiting the site.

We need the following information to provide in order to apply this feature.

  • Rule Name: Enter rule name accourding to your choice.
  • Field: From drop-down, choose Continent. 
  • Operator : From drop-down, choose does not equal. 
  • Value: From drop-down, choose the Asia.
  • In the last section from action drop-down, select Block, and then click on the blue Deploy button.

Show a captcha message on any page

Sometimes we need to secure and show captcha challenges on certain pages only and secure them from attackers and hackers.

Maybe we have hundreds of users on our website and we want that bots should not enter to a specific page or area. This will save the site from brute force attacks and decrease the load on the server.

  • Rule Name: Enter rule name according to your choice.
  • Field: From the drop-down, choose URI. 
  • Operator: From the drop-down, choose contain. 
  • Value: Add your page name.
  • In the last section from the Action drop-down, select Challenge (capchta), and then click on the blue Deploy button.

This will reduce the number of brute force attacks and also decrease server load.

Protect WordPress Admin(wp-admin) Area:

When you are using WordPress CMS its admin dashboard is one of the most important and vulnerable areas and you need to work hard to secure it otherwise your site is at great risk. There are a lot of security plugins there securing the WordPress admin area but they usually slow down your website.

But Cloudflare made it easier to secure the WP-ADMIN area using Cloudflare firewall rules and also it does not put extra pressure on your server resources.

In the case of wp-admin, we have to block two types of access one for plugins and the other one for themes. The first one for plugins will be blocked here /wp-admin/admin-ajax.php and the second one for themes will be blocked here /wp-admin/theme-editor.php.

Have to create two rules for both and block those.

Rule 1:

  • Rule Name: Enter rule name according to your choice.
  • Field: From the drop-down, choose URI Path. 
  • Operator : From drop-down, choose contains: 
  • Value: Add /wp-admin/admin-ajax.php .
  • In the last section from the action drop-down, select Block, and then click on the blue Deploy button.

Rule 2: 

  • Rule Name: Enter rule name according to your choice.
  • Field: From the drop-down, choose URI Path. 
  • Operator : From drop-down, choose contains: 
  • Value: Add /wp-admin/theme-editor.php .
  • In the last section from the action drop-down, select Block, and then click on the blue Deploy button.
Cloudlfare threads scroe

Set Cloudflare Threat Score

This is also one of the firewall rule options from Cloudflare. it is a key option in the Cloudflare dashboard. You can set a Threat Score and they are described as:

  • 0 indicates low risk as determined by Cloudflare.
  • Values above 10 may represent spammers or bots.
  • Values above 40 point to bad actors on the Internet.
  • It is rare to see values above 60, so tune your firewall rules to challenge those above 10, and to block those above 50.

Once their score is enabled on your website you can protect your website more. You can read more about Cloudflare Threat Scores and Understanding the Cloudflare Security Level here.

Importance of Firewalls on Your Website?

Cloudflare protects your website from threats and attacks using firewall rules. This helps protect you from hackers. Around 70% of WordPress websites are vulnerable to hackers, so Cloudflare is really important to keep your site safe.

Cloudflare is good at keeping your site safe. It makes it more secure with the firewall and helps make it faster by doing different things like minifying which means taking out what you don’t need so the site can load quicker.

Cloudflare stops people from attacking your website. Cloudflare has a “save under attack mode” that saves your website from attacks. You can also use Cloudflare’s rate-limiting function to help you if someone is trying to hack into your website. Cloudflare has a “rate-limiting” function which allows

These facts also help to improve the ranking, SEO, Speed, and image of your product.

Habbi is the Lead Dev Engineer at CloudPages. He also loves to write about WordPress, SEO and Digital Marketing.

Recent Posts

Get Newsletter Updates

10 Most Common WordPress Errors and How to Fix Them

10 Most Common WordPress Errors and How to Fix Them

‘Oops! WordPress dashboard does not work correctly due to unforeseen errors.’ Your smooth and happy day can quickly turn into confusion when you open your WordPress and see this message appear on your screen. It can be pretty frustrating, especially if it is your...

read more
MySQL Performance Tuning Tips For Better Database Optimization

MySQL Performance Tuning Tips For Better Database Optimization

Though MySQL is considered one of the most popular database managers, it still needs to be optimised every once in a while. On the other hand, when we talk about complex and big data sets, you need to optimise for high performance regularly. MySQL performance tuning...

read more
How to Create Image and File Upload in PHP with jQuery AJAX

How to Create Image and File Upload in PHP with jQuery AJAX

The hallmark of the PHP application is that it enables you to upload files from clients to servers. However, you need to be patient to implement features with stress-free configuration and correct security. As a developer, you can use different scripts for PHP file...

read more
How to Join Two Tables in MySQL

How to Join Two Tables in MySQL

To give appropriate content for a WordPress website, MySQL stores data in tables. Irrespective of the prefix, each MySQL database table comprises columns and rows. The columns identify the data type, whereas the rows carry the actual data. In this article, we will...

read more

Comments

1 Comment

  1. EDERSON

    Why do you recommend blocking SemrushBot and AhrefsBot?

    Reply

Submit a Comment

Your email address will not be published.

Subscribe

Join Our Newsletter

Pin It on Pinterest

Share This