Cloudflare - Your Website Security
Choosing Cloudflare means:
Strong protection
Faster website performance
Better reliability
Improved security and trust
To set up security rules in Cloudflare, log in to the Cloudflare account.
Go to Security, then select Security Rules from the left-hand panel.

Click + Create rule to add a new rule.

In Cloudflare, you can create a rule with two different types of action: Block or Challenge.
Block means the request is completely denied. The visitor cannot access the website.
Challenge means the visitor must prove they are human before accessing the site, for example by completing a CAPTCHA.
When to use Block vs Challenge
Use Block for known malicious IPs or countries.
Use Challenge for suspicious traffic where real users might still need access.
All our websites should have five security rules applied. These rules are free of charge and provide effective protection and improved performance.
Here is a list of 6 rules we should set up for each of our websites:
- Click '+ Create rule' button and select 'Custom rules' from the drop-down list.
Enter rule name "Block high-risk countries from admin"
in the 'When incoming request match ... select Field 'Country", Operator "is in" and Value "Brazil, China, India, Indonesia, Iran, Korea North, Pakistan, Russian Federation, Ukraine, Vietnam')
add another condition 'and' "URI Path" "starts with" "/wp-admin"
In the choose action select "Block" from the drop-down list.
In the select order select "First".
- Click 'Deploy' to apply the rule.

2. Challenge POST Requests - helping to reduce spam and malicious form submissions while allowing normal WordPress admin and API functionality.
Click '+ Create rule' button and select 'Custom rules' from the drop-down list.
Enter the rule name "Challenge POST Requests"
In Expression Preview, click 'Edit expression' and paste the following:
(http.request.method eq "POST" and not starts_with(http.request.uri.path, "/wp-admin") and not starts_with(http.request.uri.path, "/wp-json/") and not starts_with(http.request.uri.path, "/wp-login.php") and not starts_with(http.request.uri.path, "/jm-ajax/") and not http.cookie contains "wordpress_logged_in_" and not cf.client.bot)
Websites using Idibu only:
For websites that use Idibu, use the expression below instead. This also allows requests through the /idibu/ and /jobrelay/ paths:
(http.request.method eq "POST" and not starts_with(http.request.uri.path, "/wp-admin") and not starts_with(http.request.uri.path, "/wp-json/") and not starts_with(http.request.uri.path, "/idibu/") and not starts_with(http.request.uri.path, "/jobrelay/") and not starts_with(http.request.uri.path, "/wp-login.php") and not starts_with(http.request.uri.path, "/jm-ajax/") and not http.cookie contains "wordpress_logged_in_" and not cf.client.bot)
Choose the action 'Managed Challenge'
Under 'Select order' place this rule after 'Blocking high-risk countries from wp-admin'
Click 'Deploy' to apply the rule.

3. Block xmlrpc.php - blocks access to /xmlrpc.php.
Most websites do not need it enabled.
- Click '+ Create rule' button and select 'Custom rules' from the drop-down list.
Enter the rule name "Block xmlrpc.php"
In the incoming request match....select Field "URI Path", Operator "equals", Value "/xmlrpc.php
In the choose action, select "Block"
In the Place at, select order choose "Custom", then in the Select which rule this will fire after, select "Block leaked passwords"
- Click 'Deploy' to apply the rule.

4. Challenge network admin - applies a Managed Challenge on /wp-admin/network, if the user agent is not Wordfence:
- Click '+ Create rule' button and select 'Custom rules' from the drop-down list.
- Enter the rule name "Challenge network admin"
- In the When incoming requests match choose Field "URI Path", Operator "starts with", Value "/wp-admin/network/"
- add 'and' condition 'User Agent" does not contain Wordfence
- In the Choose action, select "Managed Challenge"
- In the Select Order choose 'Custom' then in the Select which rule this will fire after, choose "Block xmlrpc.php"
- Click 'Deploy' to apply the rule.

5. Block Suspicious WordPress Admin Access - It is detecting and blocking or challenging suspicious access attempts to WordPress admin and login pages, while excluding legitimate admin AJAX calls, post requests, and traffic from Wordfence (a security plugin).
- Click '+ Create rule' button and select 'Custom rules' from the drop-down list.
- Enter the rule name: Block Suspicious WordPress Admin Access
- In the When incoming request match select Field "URI Path" , Operator "equals' and Value ' /wp-admin'.
- add the 'And' condition "URI Path" does not contain /admin-ajax.php
- add the 'And' condition "URI Path" does not contain '/admin-post.php'
- add the 'And' condition 'User Agent" does not contain Wordfence
- then add 'Or' condition
- "URI Path" , Operator "equals' and Value ' /wp-login.php'.
- add the 'And' condition "URI Path" does not contain /admin-ajax.php
- add the 'And' condition "URI Path" does not contain '/admin-post.php'
- add the 'And' condition 'User Agent" does not contain Wordfence
- then add 'Or' condition
- "URI Path" , Operator "contains' and Value ' /?author='.
- add the 'And' condition "URI Path" does not contain /admin-ajax.php
- add the 'And' condition "URI Path" does not contain '/admin-post.php'
- add the 'And' condition 'User Agent" does not contain Wordfence
- In the Choose Action select "Interactive Challenge"
- In the Select Order, choose 'Custom', then in the Select which rule this will fire after, select "Challenge network admin".
- Click 'Deploy' to apply the rule.

- Click '+ Create rule' button and select 'Rate limiting rules' from the drop-down list.
- Enter the rule name "Rate limit wp-login.php"
- In the When incoming requests match choose Field "URI Path", Operator "equals", Value "/wp-login.php"
- In the When rate exceeds... , enter '3' for Requests and '10 seconds' Period
- In the Choose action, select "Block"
- For duration, select 10 seconds.
- In the Place at section, choose 'First' for the select order. (if applicable)
- Click 'Deploy' to apply the rule.

Bot Fight Mode on Cloudflare is a feature designed to detect, challenge, and block malicious or unwanted bot traffic to your website. It’s part of Cloudflare’s security tools for handling automated requests that can harm your site.
Navigate to the Security on the left hand side panel and click on Settings.
In the Bot fight mode box make sure the toggle is on.
