Securing your WordPress site is essential to protect it from malicious attacks and spam. Cloudflare’s Web Application Firewall (WAF) offers powerful rules to safeguard your site against common threats. In this guide, we’ll explore five critical Cloudflare WAF rules that can help block spam, prevent brute force attacks, and secure sensitive areas of your site like wp-admin and wp-login.php. Implementing these rules will significantly boost your website’s security, keeping it safe from hackers and automated bots.
1. Block Spam Countries
Cloudflare WAF Rule:
- Action: Block or Challenge
- Expression:
Country in {CN, RU, IN, TR, BR}
This rule blocks or challenges traffic from countries that are known to generate high levels of spam or malicious activity. You can expand this list or use your own data on where most spam or attacks are coming from.
Description:
Certain countries or regions are often linked to higher volumes of bot traffic, spam, or brute force attacks. By blocking or challenging traffic from these regions, you prevent malicious actors from accessing your site altogether. This is especially useful if your target audience is located in specific regions and you don’t expect legitimate traffic from countries with higher cyber attack risks.
Example Use Case:
If you’re running a website targeting users in North America or Europe, you can block or challenge traffic from countries like China (CN), Russia (RU), India (IN), Turkey (TR), and Brazil (BR), as they are frequently associated with high levels of spam and brute force attacks.
2. Block Other Countries from wp-admin
Cloudflare WAF Rule:
- Action: Block or Challenge
- Expression:
URI Path contains "/wp-admin" AND (Country not in {US, CA, GB, AU})
This rule targets the WordPress wp-admin section, which is often a target for hackers trying to gain administrative access to your website. By limiting access to wp-admin to only trusted countries, you drastically reduce the attack surface.
Description:
WordPress’ wp-admin panel is where site administrators manage the backend, making it an attractive target for brute force attacks. By restricting access to wp-admin from specific countries (e.g., the US, Canada, Great Britain, and Australia), you ensure that only legitimate admins from trusted locations can log in. Visitors from other countries will be blocked or challenged when trying to access the wp-admin login page.
Example Use Case:
If you are based in the United States and only have admins based in the US, Canada, Great Britain, and Australia, you can block access to wp-admin from all other countries. This significantly reduces the risk of unauthorized access.
3. Block Form or Comment Spam
Cloudflare WAF Rule:
- Action: Block or Challenge
- Expression:
URI Path contains "/wp-comments-post.php" OR URI Path contains "/wp-login.php" AND (User-Agent matches "bot|crawl|spider|scraper|googlebot|yandexbot|bingbot|slurp|baidu")
This rule focuses on filtering out malicious traffic trying to post spam through forms or the comment section. It checks for user agents that match common bots or scrapers used in automated spam campaigns.
Description:
Spam in the comments section or via contact forms is a common issue on WordPress websites. This rule targets automated bots that attempt to inject spam into your website’s comment system, forms, or login attempts. By blocking or challenging these requests based on their user agent (which can be indicative of bots), you prevent malicious traffic from affecting your website’s performance and reputation.
Example Use Case:
If you have a WordPress blog with a comment section, you may frequently see spammy comments or form submissions from bots. This rule helps by blocking traffic that has user-agent strings indicating it’s coming from bots like Googlebot, Yandexbot, or any crawler commonly used for scraping content.
4. Lockdown WordPress (Deny Access to wp-login.php)
Cloudflare WAF Rule:
- Action: Block
- Expression:
URI Path equals "/wp-login.php"
This rule completely denies access to the wp-login.php page, which is one of the most common entry points for hackers trying to brute force their way into your WordPress site. You can also apply additional conditions to allow only specific IP addresses or countries.
Description:
The wp-login.php page is a frequent target for brute force attacks. Hackers use automated tools to guess passwords and gain unauthorized access to the admin panel. By blocking this page entirely, or restricting access to trusted IPs or locations, you effectively lock down your WordPress login process. This is a good rule for sites where you don’t need public login access or where you can limit login access to a trusted set of users.
Example Use Case:
If you’re the only admin of the WordPress site and you access it from a specific IP address or country, blocking all other traffic to wp-login.php can provide a significant boost to your site’s security.
5. Rate Limiting and Brute Force Protection
Cloudflare WAF Rule:
- Action: Challenge or Block (after a certain threshold)
- Expression:
URI Path equals "/wp-login.php" AND (request count > 5 in 60 seconds)
This rule prevents brute force attacks by limiting the number of login attempts to wp-login.php in a given time frame. If more than 5 login attempts are detected within 60 seconds, further requests are either challenged or blocked.
Description:
Brute force attacks involve automated tools trying a large number of username and password combinations until they find the correct one. By limiting the number of requests a user can make to wp-login.php in a short time period, you can effectively block brute force attacks and force malicious actors to slow down or stop trying. You can set different thresholds based on how many login attempts you want to allow per minute.
Example Use Case:
On a WordPress site, repeated failed login attempts in a short amount of time might indicate a brute force attack. By setting up rate limiting, you can stop attackers from making too many requests in a short period. This is crucial for reducing the effectiveness of brute force attacks and preventing your login system from being overwhelmed.
By implementing these Cloudflare WAF rules, you can significantly increase the security of your WordPress website. Whether it’s blocking traffic from spam countries, restricting access to sensitive areas like wp-admin, preventing comment spam, locking down the WordPress login page, or defending against brute force attacks, these WAF rules provide a powerful layer of protection. Regularly updating and adjusting your WAF settings is essential to stay ahead of emerging threats and keep your WordPress site safe from malicious activity.