Knowledge Base

Choosing Cloudflare means:

• Strong protection
  

• Faster website performance
  

• Better reliability
  

• Improved security and trust
  

To set up security rules in Cloudflare, log in to the Cloudflare account.

Go to Security, then select Security Rules from the left-hand panel.

Click + Create rule to add a new rule.

In Cloudflare, you can create a rule with two different types of action: Block or Challenge.

• Block means the request is completely denied. The visitor cannot access the website.
  

• Challenge means the visitor must prove they are human before accessing the site, for example by completing a CAPTCHA.
  

When to use Block vs Challenge

• Use Block for known malicious IPs or countries.
  

• Use Challenge for suspicious traffic where real users might still need access.
  

All our websites should have five security rules applied. These rules are free of charge and provide effective protection and improved performance.

Here is a list of 6 rules we should set up for each of our websites:

• Enter rule name "Block high-risk countries from admin"
  

• in the 'When incoming request match ... select Field 'Country", Operator "is in" and Value "Brazil, China, India, Indonesia, Iran, Korea North, Pakistan, Russian Federation, Ukraine, Vietnam')
  

• add another condition 'and' "URI Path" "starts with" "/wp-admin"
  

• In the choose action select "Block" from the drop-down list.
  

• In the select order select "First".
  

• Click 'Deploy' to apply the rule.
  

2. Block leaked passwords - If Cloudflare detects a leaked password and someone tries to log in at /wp-login.php, it blocks the request:

• Enter the rule name "Block leaked passwords"
  

• in the When incoming request match ... select Field "Password Leaked" and ticked the option for the Value
  

• add the 'and' condition URI Path equals /wp-login.php
  

• In the choose action field select "Block"
  

• In the Place at, select order choose 'Custom', in the Select which rule this will fire after, select our previously defined rule "Block high-risk countries from admin"
  

• Click 'Deploy' to apply the rule.
  

3. Block xmlrpc.php - blocks access to /xmlrpc.php.

Most websites do not need it enabled.

• Enter the rule name "Block xmlrpc.php"
  

• In the incoming request match....select Field "URI Path", Operator "equals", Value "/xmlrpc.php
  

• In the choose action, select "Block"
  

• In the Place at, select order choose "Custom", then in the Select which rule this will fire after, select "Block leaked passwords"
  

• Click 'Deploy' to apply the rule.
  

4. Challenge network admin - applies a Managed Challenge on /wp-admin/network, if the user agent is not Wordfence:

• Click '+ Create rule' button and select 'Custom rules' from the drop-down list.
  

• Enter the rule name "Challenge network admin"
  

• In the When incoming requests match choose Field "URI Path", Operator "starts with", Value "/wp-admin/network/"
  

• add 'and' condition 'User Agent" does not contain Wordfence
  

• In the Choose action, select "Managed Challenge"
  

• In the Select Order choose 'Custom' then in the Select which rule this will fire after, choose "Block xmlrpc.php"
  

• Click 'Deploy' to apply the rule.
  

5. Block Suspicious WordPress Admin Access - It is detecting and blocking or challenging suspicious access attempts to WordPress admin and login pages, while excluding legitimate admin AJAX calls, post requests, and traffic from Wordfence (a security plugin).

• Click '+ Create rule' button and select 'Custom rules' from the drop-down list.
  

• Enter the rule name: Block Suspicious WordPress Admin Access
  

• In the When incoming request match select Field "URI Path" , Operator "equals' and Value ' /wp-admin'.
  

• add the 'And' condition "URI Path" does not contain /admin-ajax.php
  

• add the 'And' condition "URI Path" does not contain '/admin-post.php'
  

• add the 'And' condition 'User Agent" does not contain Wordfence
  

• then add 'Or' condition
  

• "URI Path" , Operator "equals' and Value ' /wp-login.php'.
  

• add the 'And' condition "URI Path" does not contain /admin-ajax.php
  

• add the 'And' condition "URI Path" does not contain '/admin-post.php'
  

• add the 'And' condition 'User Agent" does not contain Wordfence
  

• then add 'Or' condition
  

• "URI Path" , Operator "contains' and Value ' /?author='.
  

• add the 'And' condition "URI Path" does not contain /admin-ajax.php
  

• add the 'And' condition "URI Path" does not contain '/admin-post.php'
  

• add the 'And' condition 'User Agent" does not contain Wordfence
  

• In the Choose Action select "Interactive Challenge"
  

• In the Select Order, choose 'Custom', then in the Select which rule this will fire after, select "Challenge network admin".
  

• Click 'Deploy' to apply the rule.
  

• Click '+ Create rule' button and select 'Rate limiting rules' from the drop-down list.
  

• Enter the rule name "Rate limit wp-login.php"
  

• In the When incoming requests match choose Field "URI Path", Operator "equals", Value "/wp-login.php"
  

• In the When rate exceeds... , enter '3' for Requests and '10 seconds' Period
  

• In the Choose action, select "Block"
  

• For duration, select 10 seconds.
  

• In the Place at section, choose 'First' for the select order. (if applicable)
  

• Click 'Deploy' to apply the rule.
  

Bot Fight Mode on Cloudflare is a feature designed to detect, challenge, and block malicious or unwanted bot traffic to your website. It’s part of Cloudflare’s security tools for handling automated requests that can harm your site.

Navigate to the Security on the left hand side panel and click on Settings.

In the Bot fight mode box make sure the toggle is on.