Secure, Protect and Lock Down your WordPress site with Cloudflare Custom WAF Rules (was Firewall Rules)

system · September 21, 2023, 2:10pm

Originally published at: Secure, Protect and Lock Down your WordPress site with Cloudflare Custom WAF Rules (was Firewall Rules) - Managing WP - All about Managing WordPress

Content Error or Suggest an EditNotice a grammatical error or technical inaccuracy? Let us know; we will give you credit! Attention – Always Test!Ensure you test your Cloudflare rules after implementation, as they can block some services such as backups, monitoring and management services. Also, make sure to use a VPN to test country blocks.…

jtrask · September 21, 2023, 2:11pm

Comment Import:

Rob Barrett
5 months ago
Out of interest, why do you go for a JS challenge over managed challenge for the GEO checks?

At the moment I have my GEO and /wp-admin etc all in one rule with managed challenge.

Thanks

Rob Barrett
5 months ago
Looking at this further, seems Managed Challenge can offer up a JS challenge if it thinks it’s appropriate.

…Also, was just wondering if the ne “/wp-admin/admin-ajax.php” should be ‘not contain’, rather than ‘not equal’ as it’s just a section of the URL?

Jordan
5 months ago
So for challenges, pick what works for you. At the time of this writing I made a choice, and really didn’t think about it fully. I’ve now updated the article to use a Managed Challenge for GEO.

I also think that you should use a Interactive Challenge for protecting /wp-admin if it’s just you or a few people accessing it, this would require solving regardless and is more agressive. It also requires two rules then, so if you need more rules use managed challenge for both GEO and /wp-admin. Again, this is just what I think is a good base, change it as needed to fit your requirements

Another reason why I don’t combine my rules is for analytics For pro accounts it’s great, but with only 5 rules on free it’s not efficient.

…Also, was just wondering if the ne “/wp-admin/admin-ajax.php” should be ‘not contain’, rather than ‘not equal’ as it’s just a section of the URL?
Both would work, I prefer to strict match versus partial when possible, maybe OCD? There would never be an instance where admin-ajax.php would live anywhere else other than wp-admin and be considered normal. I just don’t like to do contains that often.

Rob Barrett
5 months ago
Thanks Jordan for the insight, much appreciated. I’ve added all this to my site build workflow, so is super helpful.

Jordan
5 months ago
No worries, glad it helps!