Liew CheonFong
Table Of Contents
What is Cloudflare Firewall Rules?
Cloudflare Firewall Rules is another firewall offered by Cloudflare which was announced in October 2018. It is a powerful and flexible security tool to filter web application traffic.
Cloudflare Firewall Rules is available for all Cloudflare plans. The free plan can have up to 5 active Firewall rules.
A Firewall Rule consists of two parts: Matching and Action.
- Matching: A defined filter that runs and match your traffic for a string or pattern
- Action: the action perform on the matched traffic (block, challenge, captcha, allow)
You can also order the firewall rules to override the default sequence which is based on the rule’s action.
Firewall Rules: Matching
You can match a traffic to the HTTP request, including country, hostname, IP address, URI, referrer, known bots, threat score, and more.
Known bots (cf.client.bot) is a Cloudflare defined list of “known good bots”, which includes bots from Google, Apple, Bing, Linkedin, Pingdom, and Yahoo. You are recommended to add cf.client.bot in an Allowed rule to avoid blocking good crawlers which could affect your SEO and monitoring.
Cloudflare has an internal algorithm to calculate an IP’s reputation and assigns a threat score (types of threats) that range from 0 to 100. Threat score is used for the Security Level setting under Firewall:
- High – for scores greater than 0
- Medium – for scores greater than 14
- Low – for scores greater than 24
- Essentially Off – for scores greater than 49
Regular Expression matching is supported for Cloudflare Business and Enterprise plans.
Firewall Rules: Action
You can set to perform an action to filter matched traffic.
- Block: the traffic is block to reach your web application.
- JS Challenge: JavaScript challenge. Visitors do not have JavaScript support (mostly bots) will be blocked.
- Challenge (Captcha): Visitor is required to pass a captcha challenge to allow access.
- Allow: Traffic is allowed to reach your web application.
Access Cloudflare Firewall Rules
In this article, we will show you how to setup Cloudflare Firewall Rules through the dashboard. You can also configure Firewall Rules through API and Terraform.
- Login your Cloudflare dashboard
- Select the domain name you want to configure Firewall Rules
- Click Firewall from the tools at the top
- Click Firewall Rules
From there, you can:
- Create a new Firewall Rule
- Search and filter the list of existing rules
- See a list of existing rules (active and paused)
- Activate or pause rules (turn on or off)
- Edit a rule
- Delete a rule
Cloudflare Firewall Rules Examples
Example 1 — Block all countries except Malaysia
Expression Editor:
(ip.geoip.country ne "MY")
You can easily do country blocking using Cloudflare Firewall Rules.
Tip: Change the operator to equal to block only the chosen country in Value field. You can add more countries by clicking “OR” button.
Example 2 — WordPress Security
Expression Editor:
((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php")) and ip.geoip.country ne "MY"
This Firewall Rule will challenge any non-Malaysia visitor that try to access WordPress xmlrpc.php, wp-login.php, and /wp-admin (except admin-ajax.php and theme-editor.php). A simple rule like this could block most hack attempts to your WordPress website.
You notice that no visual builder for this rule. It is because I use a complex (nested brackets) expression.
Example 3 — Block bad bots (use Expression Editor)
Expression Editor:
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)
This is a long bots blocking rule. It blocks any non-known-good-bots traffic with user agent that contain strings “crawl”, “bot”, “spider”, plus a few custom user agents.
Here we add the Firewall rule using the Expression Editor (shown in animated GIF above):
- Click “Create a Firewall Rule“
- Give a Rule Name
- Click “Edit expression“
- Copy & Paste the expression into the text area
- Select “Block” action
- Click “Deploy” to activate the Firewall rule
You can use Visual Builder to update a Firewall rule that is created using Expression Editor, provided you do not use nested brackets in the expression.
The same expression can be rewrite using nested bracket, grouping rule logics in single ():
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or ((http.user_agent contains "crawl") or (http.user_agent contains "Crawl") or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter") or (http.user_agent contains "Bot" and not http.user_agent contains "Google") or (http.user_agent contains "Spider") or (http.user_agent contains "spider") and not cf.client.bot)
Does Your Cloudflare Firewall Rules work?
You have configure and active your Firewall rules. Do they work as expected? You can check the Firewall Event Log (Firewall > Events) for the list of firewall events (allow, challenge, block) and their details.
Take note on the challenged and blocked events. You do not want to mistakenly blocking good traffic because of a wrongly configured Firewall rule.
In this example, Firewall Rule blocks “magpie-crawler” bot with IP address “185.25.35.15” (United Kingdom) when it tries to access a post’s feed.
Summary
In this tutorial, you have learned what is Cloudflare Firewall Rules and how to configure it to filter traffic and protect your web application. You also learned about Expression Editor for writing complex firewall rule.
I hope you find this tutorial helpful. If you have any question, please add in the comment below.
How do you use Cloudflare Firewall Rules?
Hey Liew,
BIG thank you for the excellent explanation of how to create and set up firewall rules on CloudFlare and for the example rules. I followed your advice and easily created the rules I needed.
Hi Julian, glad that you found it useful 👍
Hey Liew,
These firewall rules you provide work like a charm to catch the bad guys and protect my site. Much appreciated.
I’d like to add protection against the UserPro <= 4.9.17 – Authentication Bypass attack:
https://wpvulndb.com/vulnerabilities/8950
So I added:
(http.request.uri.path contains "/?up_auto_log=true") or
to the beginning of Example 2 — WordPress Security
NOTE: I experimented with variations like:
– "up_auto_log=true"
– "up_auto_log="
The original protections against attacks for xmlrpc.php, wp-login.php etc. still work but protection against Authentication Bypass attack that I added does NOT work.
Can you please help?
Maybe adding protection to Example 2 — WordPress Security or some other rule you might think better.
I want to add this protection because I often see this attack in my logs.
Thanks for considering my request.
Cheers,
Julian
hi @Julian, based on the link, the plugin fixed the vulnerability at version 4.9.17.1. Also, do not use “admin” for WordPress username.
Hi Liew,
Yes, I know that the vulnerability was fixed and I do not use “admin” as a user name. However, hackers still try to exploit and use this attack method for other reasons such as looking for differences in the server’s response based on the validity of submitted credentials etc.
Do you know how to add this protection to a Firewall rule?
Hi Julian, try to use match URI Query String:
(http.request.uri.query eq "up_auto_log=true")Many thanks for this post! I’ve put rules into practice and I’m getting great results.
That’s great, Renato! 👍
Hello,
I applied the rules “Block Bad Bots” and I monitored the blocking of bots. I’ve noticed that Cloudflare is blocking Bingbot
User Agent
Mozilla / 5.0 (compatible; bingbot / 2.0; + http: //www.bing.com/bingbot.htm)
What are the rules for releasing Bingbot?
Thank you
Hi Renato, thanks for the feedback. I can confirm that bingbot is blocked by the rule.
Please find:
or (http.user_agent contains "bot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")then replace it with:
or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")I also update the code in the article. thank you!
Sir, how to know all about Cloudflare Firewall
MANY THANKS lewis for this posting!
Great article on the security setting of Cloudflare. Thanks a lot, man!
Keep it up, we always follow your suggestions.
Thank you, @Kishore! You make my day 🙂
thank you for this, is their a way we can allow the googlebot but still block the other bots?
Hi Nick Roberts, the googlebot is excluded in the CF firewall rule in the article.
“(http.user_agent contains “Bot” and not http.user_agent contains “Google”) “
Thank you much, Liew, for the Block Bad Bots example. Had been looking for something like that for awhile. Very much appreciated. I hates bad bots.
You’re welcome. Glad it is helpful
Great article
thanks a lot for such useful info.
On the WP security rules what is better
JS Challenge or Challenge (Captcha)?
https://i.imgur.com/TCiCs22.png
Another question…
In your Example 2 — WordPress Security rule
What happens if the hacker/attacker comes from Malaysia? or uses a VPN to use an IP from Malaysia?
Any suggestions to prevent that?
thanks!
This guide help me lot, thanks
Thank you for your awesome CF rules, Liew!
Maybe this will help too:
(http.request.uri.path contains “/wp-content/” and http.request.uri.path contains “.php”) or (http.request.uri.path contains “phpmyadmin”) or (http.request.full_uri contains “../”) or (http.request.full_uri contains “..%2F”) or (http.request.full_uri contains “passwd”) or (http.request.uri contains “/dfs/”) or (http.request.uri contains “/autodiscover/”) or (http.request.uri contains “/wpad.”) or (http.request.full_uri contains “webconfig.txt”) or (http.request.full_uri contains “vuln.”) or (http.request.uri.query contains “base64”) or (http.request.uri.query contains “<script") or (http.request.uri.query contains "%3Cscript") or (http.request.uri.query contains "$_GLOBALS[") or (http.request.uri.query contains "$_REQUEST[") or (http.request.uri.query contains "$_POST[")
Hello, Robi Setiawan. Greetings from Indonesia. I tried your rules on my CF. Unfortunately, it doesnt works. I got an error as screenshot here http://prntscr.com/qeghi8. How to resolve it?
Thank you
Hi, Slamet. Sorry for late reply.
You can use my Cloudflare rules below:
https://blog.situstarget.com/wp-content/uploads/2020/01/Firewall-Rules-for-WordPress.txt
First, rule is to protect WordPress from injection.
Second, rule is to protect WordPress from Bad Spider
Third, rule is to protect WordPress from backdoor
Fourth, rule is to make Cloudflare as your VPN to login WP-admin & WP-Login.php.
thanks for sharing full info
I visit again and again this article help me more. thanks one again.
I have problems with other web pages make hot-linking to my photos. So I will like to make a Firewall Rules, so it is not possible to do this! BUT the Firewall Rules needs to allow Search engines like google and yahoo to index my photos!
Is it something you can help me with!!
Hey Lykke, you can utilize your htaccess file to prevent hotlinking of images. The All In One WP Security & Firewall plugin has the ability to prevent hotlinking of images.
Thanks for your reply.
I don’t think it would work because my web page is served over cloudflare cached. but I’m pretty sure it can be done through a cloudflare Firewall Rules.
I am not an expert so have tried to contact cloudflare. But it is hopeless, because is a new person who answers every time and it is like they do not understand the problem.
Right now I’m using this Firewall Rules below, but not sure it works because my index photos are dropping on google image. But maybe I just need to be a little more patient.
(http.request.method eq “GET” and http.request.uri.path contains “jpg” and not (http.referer contains “my. domain.com/” or cf.client.bot))
Thanks for the rules. They seem to work great!
Hotlink protection is build in in Cloudflare and can be found under the Scrape Shield menu >> Hotlink Protection
Hello,
I have some questions:
1. If I block a certain country, but allow googlebot, will my website be indexed in that country?
2. If I block a certain country, but allow googlebot and it indexed my website there, isnt it cloaking? Because, if googlebot crawls sees my website from that banned country, but users dont, isnt it wrong?
Thank you!
Hey Ana, your website will be indexed if you allow googlebot. If you block a certain country, but allow Googlebot, your site will still show up in search engines but appear as unavailable to those trying to visit from the country you banned.
nice artical
Great article.. I always use Cloudflare it speeds up my website as well.
Hi,
Thank for sharing such a nice post on your blog keep it up and share more.
Great Very Useful Post Thanks For Sharing.
Perfect tutorial, thanks so much.
Please write a tutorial article with page rules on CloudFlare.
Thanks
Rather than using “contains” for some of these rules, you can use “matches”, and use the RE2 match making the expressions a bit shorter. For example, replace: or (http.user_agent contains “Spider”)
or (http.user_agent contains “spider”)
with:
or (http.user_agent matches “[Ss]pider”)
OR, you can use builtin functions, and simply convert the results to all lowercase:
or (lower(http.user_agent) contains “spider”)
Referencing: https://developers.cloudflare.com/firewall/cf-firewall-language/ & https://developers.cloudflare.com/firewall/cf-firewall-rules/fields-and-expressions/
That’s great,
Hi lewis,
The bad bot script is blocking some of the user agent which is useful for me for example it is blocking an uptime bot which checks my website uptime. How do I unblock it? and it is also blocking a ad bot gumgum which is useful to show the ads on my site.
Thanks
Hey Suprim, nothing should be blocked if its just checking uptime.
Great article..⭐⭐⭐⭐⭐
Great article I really like the way you summarize the article on cybersecurity and explain it to us. Thanks a lot
Very helpful post.
Great Content Keep it up
I visit again and again this article help me more. thanks one again.
Great Very Useful Post Thanks For Sharing
Very helpful and valuable information
Great Very Useful Post Thanks
Very brilliant information
Awesome, Very Useful Post Thanks For Sharing
Thank You Dear, i am changed my cloud flare now its working good and faster.
Hello I am actually using that rule below and I would like to know how I can block all countries except “FR” and “CA” in the same rule. for now I can only have FR as an exception thank you.
((http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains ” /wp-admin/theme-editor.php”)) and ip.geoip.country ne “FR”
I visit again and again this article, and it help me more and more. thanks one again.
This is very nice blog.thanks for sharing
Many thanks for this post! I’ve put rules into practice and I’m getting great results.
We were attacked twice over the last two days with over 8.5M requests in 30 minutes. We just launched our company and another company, we think, was trying to take our site down. It was time spent last night going through trust scores, bots, and other things, that I believe, just helped us avert an attack. Yeah!
Thanks so much for your article, thank you very much for sharing that awesome Cloudflare firewall rule.
Best
From Jonathan
Thanks for the explained in details…
My website received so many bots that I have followed your guidelines and put firewall on and thousands of IPs are blocked. Thank you.
Hi there, last year i read your article and applied these settings on nearly 100+ websites of my clients. First of all thank you for the article bro.
I want to know something which i am still confused. You have given this code
(http.user_agent contains “Yandex”) or (http.user_agent contains “muckrack”) or (http.user_agent contains “Qwantify”) or (http.user_agent contains “Sogou”) or (http.user_agent contains “BUbiNG”) or (http.user_agent contains “knowledge”) or (http.user_agent contains “CFNetwork”) or (http.user_agent contains “Scrapy”) or (http.user_agent contains “SemrushBot”) or (http.user_agent contains “AhrefsBot”) or (http.user_agent contains “Baiduspider”) or (http.user_agent contains “python-requests”) or (http.user_agent contains “crawl” and not cf.client.bot) or (http.user_agent contains “Crawl” and not cf.client.bot) or (http.user_agent contains “bot” and not http.user_agent contains “bingbot” and not http.user_agent contains “Google” and not http.user_agent contains “Twitter” and not cf.client.bot) or (http.user_agent contains “Bot” and not http.user_agent contains “Google” and not cf.client.bot) or (http.user_agent contains “Spider” and not cf.client.bot) or (http.user_agent contains “spider” and not cf.client.bot)
The issue in this code is that I think this is blocking the google, bing as well. Should I turn the Google and Bing buttons ON? Example screenshot here = http://prnt.sc/smvm0n
In other words, should I enable the google and bing bot thing? So that both of these bots can access the site without any issue? Why? Because I have been doing SEO on my website https://ezytilingservices.com.au/ which I want to google and bing like search engine to crawl. So, I am still confused that should I be turning those two buttons ON or OFF like you have given in the link?
Hi Aljit,
If you check the given code above again, you will see
and not http.user_agent contains "Google", for example. This “and not” here to make we include bad bots and make sure to exclude good bots (Bing, Google, Twitter, etc).So you just need to copy and paste that long bots blocking rule and follow the steps.
Btw, if you want to check the list of known bots in Cloudflare, you can check it here,
https://developers.cloudflare.com/firewall/known-issues-and-faq/#how-does-firewall-rules-handle-traffic-from-known-bots
Based on what is the blocking done in uptimerobot?
It is an application to monitor the site on the air, I see it as false / positive to block it, and in my analysis that I have done for 2 years of bots, Uptimerobot never appears as a villain, always accessing the URL that is registered. All sites post bots, but don’t know why:
grep -vi “google\|bing” /var/log/nginx/access.log | grep -i “bot\|crawler” | awk -F”\”-\”” ‘{print $2}’ | grep -v “^$” | sort | uniq -c | sort -nr
cat /var/log/nginx/access.log | grep -i “bot\|crawler” | awk -F”\”-\”” ‘{print $2}’ | grep -v “^$” | sort | uniq -c | sort -nr
grep -i “bot\|crawler” /var/log/nginx/access.log | awk -F”\”-\”” ‘{print $2}’ | grep -v “^$” | sort | uniq -c | sort -nr
grep -i “bot\|crawler\|spider\|seo” /var/log/nginx/access.log | awk -F”\”-\”” ‘{print $2}’ | grep -v “^$” | sort | uniq -c | sort -nr
Here are my blocks, based on SEO bots (Semrush), ApacheHttpClient (it is possible to be attacked in dynamic fields of the site), and not to extend the subject too much, the botnet (polaris and XTC):
(http.user_agent contains “AhrefsBot”) or (http.user_agent contains “crawler.feedback@gmail.com”) or (http.user_agent contains “DnyzBot/”) or (http.user_agent contains “Go-http-client”) or (http.user_agent contains “Nimbostratus”) or (http.user_agent contains “python-requests”) or (http.user_agent contains “Scrapy”) or (http.user_agent contains “SeznamBot/”) or (http.user_agent contains “Sogou web spider”) or (http.user_agent contains “spbot”) or (http.user_agent contains “WebDAV-MiniRedir”) or (http.user_agent contains “WinHttp.WinHttpRequest”) or (http.user_agent contains “YaK/”) or (http.user_agent contains “boardreader”) or (http.user_agent contains “VoluumDSP-content-bot”) or (http.user_agent contains “Tailbot”) or (http.user_agent contains “DotBot”) or (http.user_agent contains “MJ12bot”) or (http.user_agent contains “Eyeotabot”) or (http.user_agent contains “OpenVAS-VT”) or (http.user_agent contains “Apache-HttpClient/4.5.2 (Java/1.8.0_151)”) or (http.user_agent contains “Apache-HttpClient”) or (http.user_agent contains “masscan/1.0 (https://github.com/robertdavidgraham/masscan)”) or (http.user_agent contains “Uirusu/2.0”) or (http.user_agent contains “BLEXBot/1.0”) or (http.user_agent contains “BLEXBot”) or (http.user_agent contains “SemrushBot/6~bl”) or (http.user_agent contains “semrush”) or (http.user_agent contains “SemrushBot”) or (http.user_agent contains “SemrushBot/”) or (http.user_agent contains “SemrushBot/1.0~bm”) or (http.user_agent contains “1.0~bm”) or (http.user_agent contains “GrapeshotCrawler/2.0”) or (http.user_agent contains “GrapeshotCrawler”) or (http.user_agent contains “grapeshot.co.uk”) or (http.user_agent contains “AspiegelBot”) or (http.user_agent contains “Seekport”) or (http.user_agent contains “serpstatbot/1.0”) or (http.user_agent contains “serpstatbot”) or (http.user_agent contains “MauiBot”) or (http.user_agent contains “polaris”) or (http.user_agent contains “XTC”) or (http.user_agent contains “Uirusu”) or (http.user_agent contains “puzzles”) or (http.user_agent contains “PycURL”)
* Sorry for my bad English, I’m from Brazil. *
My Rules Basic for Scan Web and Invasion Attempts:
(http.request.uri.path contains “/wp-content/” and http.request.uri.path contains “.php” and http.request.full_uri contains “https://www.yoursite.com/wp-config.php” and http.request.uri.path contains “/wp-json/” and http.request.uri.query contains “author_name=” and http.request.uri.path contains “phpmyadmin” and http.request.full_uri contains “../”) or (http.request.uri contains “..%2F” and http.request.uri contains “passwd” and http.user_agent contains “Nimbostratus” and http.request.method in {“GET” “POST” “HEAD”}) or (http.request.full_uri contains “wp-config.”) or (http.request.uri contains “/dfs/”) or (http.request.uri contains “/autodiscover/”) or (http.request.uri contains “/wpad.”) or (http.request.full_uri eq “webconfig.txt”) or (http.request.full_uri contains “vuln.”) or (http.request.uri.query contains “base64” and http.user_agent contains “Apache-HttpClient/4.5.2 (Java/1.8.0_151)” and http.user_agent contains “check_http/v1.4.15-61-g4d527 (nagios-plugins 1.4.15)” and http.user_agent contains “check_http” and http.user_agent contains “nagios-plugins” and http.user_agent contains “Apache-HttpClient” and http.user_agent contains “OpenVAS-VT” and http.user_agent contains “X11, U; OpenVAS-VT 9.0.3” and http.user_agent contains “OpenVAS” and http.request.uri.query contains “?a=” and http.request.uri contains “?a=” and http.request.full_uri contains “?a=”) or (http.request.uri.path contains “/?utm_source=sniply”) or (http.request.uri contains “/?utm_source=sniply”) or (http.request.uri contains “wget”) or (http.request.uri eq “CONCAT”) or (http.request.uri contains “UNION”) or (http.request.uri contains “NULL”) or (http.request.uri contains “php?php=http”) or (http.request.uri contains “shell”) or (http.request.uri contains “wshell”) or (http.request.uri contains “xshell”) or (http.request.uri contains “ThinkPHP”)
i am facing DNS LOOKUP problem on my site https://lyricsmeanings.com/ . kindly solve this and reply with solution.
Hey Rohit, best to put in a support ticket to get this cleared up quickly.
every thing is explained in so simple manner. i really appriceatr your effort