RunCloud Team
For more than ten years, the Cloudflare team has provided security services to website creators worldwide and is currently helping thousands of businesses maintain and secure their online resources.
Since its creation, Cloudflare has released many strong firewall utilities, such as IP rules, CIDR rules, ASN rules, country rules, and HTTP user-agent blocking, to name a few, and Cloudflare Firewall Rules are a recent addition to these. These rules combine how firewall utilities are used, and provide users with more flexibility and control over how their firewall works.
In this article, you’ll learn everything you need to know about firewalls, how to start implementing and editing Cloudflare Firewall Rules on your website, and why security is so important.
Table Of Contents
What Are Cloudflare Firewall Rules?
Cloudflare Firewall Rules are a flexible and intuitive framework website owners can use to filter HTTP requests – giving you complete control of which requests are able to reach your application.
Firewall rules integrate well with existing Cloudflare tools, as they allow you to combine multiple techniques into a cohesive set of rules. For example, you can create one rule to block traffic from users matching a particular pattern, instead of having to use three or four different rules in as many places to accomplish the same result.
They also give you the advantage of continuously checking the site traffic and responding accordingly to threats. You can define expressions that inform Cloudflare of what or what not to look at and what kind of action should be taken when those particular requirements are satisfied.
Why Are Firewalls Necessary for Your Website?
Cloudflare is mainly used to decrease web page load speed and protect your site from online threats. It also fights against spammers, malware injections, and DDoS attacks.
Around 70% of WordPress installations are prone to hackers, making it more necessary to use Firewalls from Cloudflare to protect your site from unwanted threats. Some of the reasons why firewalls are required for your website are:
- Cloudflare utilizes three different types of minification, JavaScript, CSS, and HTML, to reduce file size and increase load speeds by removing unwanted white spaces, newline delimiters, and unnecessary characters.
- With the introduction of HTTP/3, Cloudflare supports multiple page elements parallelly over a single TCP connection along with push technology and header compression.
- Cloudflare WAF protects your site from many vulnerabilities that popular CMS tools (WordPress, Joomla, etc.) are prone to. Cloudflare WAF has more than 145 rules to protect your site from all types of web application attacks.
- Cloudflare has a rate-limiting function that helps mitigate DOS attacks, brute force login attempts, and other malicious intent against the application layer. The rate-limiting function allows you to configure thresholds, define responses, and gain insights on websites.
As you can see, Cloudflare not only improves SEO by speeding up your website, it provides a whole host of advanced security features to protect your site from attacks.
Cloudflare Firewall Rules – Matching & Actions
Cloudflare Firewall Rules are made up of two main functionalities: Matching, which lets you define a filter to precisely match your traffic, and Actions, through which you determine the action Cloudflare will take after you set the matching filter.
Matching
Matching lets you filter out any incoming traffic to your website. For example, if you wanted to restrict certain countries, redirect visitors to a location-specific page, or filter out particular IP addresses, then you would use matching rules to do this.
Among the most important features Cloudflare is introducing is the known bots (cf.client.bot) field. It provides you with a Cloudflare-approved list of good bots obtained through reverse DNS lookups. You will find a comprehensive list of bots approved by sites such as Google, Yahoo, Bing, Linkedin, Apple, and more.
Note: Since the “allow listing” function has been removed, it’s recommended that you include cf.client.bot in an Allowed rule. This would prevent Cloudflare Firewall Rules from unintentionally blocking good crawlers.
What’s more, Cloudflare Firewall Rules also come with an algorithm that gives a threat score to IPs by measuring their online reputation. The threat score ranges from 0 to 100 and is divided into the following categories:
- High – for scores from 0 to 13;
- Medium – for scores from 14 to 23;
- Low – for scores from 24 to 48;
- Essentially Off – for scores greater than 49.
However, setting up matching rules alone won’t achieve much. This is where Actions come in.
Actions
With matching filters set up, you can instruct Cloudflare Firewall Rules to apply the standard Cloudflare actions (Block, JavaScript Challenge, and Challenge) as well as the new Allow action.
- Block: used for blocking traffic from getting access to your web application.
- JavaScript Challenge: used to block traffic from visitors who don’t have JavaScript support, which is usually bots.
- Challenge (Captcha): used to set up a Captcha challenge to block potential bots.
- Allow: used for allowing visitors access to your web application.
Three Examples of Cloudflare Firewall Rules In Action
In this section, you’ll find three ways to set up Cloudflare Firewall Rules by using the dashboard and why they might be helpful.
We’ll be covering:
- How to block particular countries from visiting your site
- How to make your WordPress site more secure with captcha
- How to prevent bad bot traffic from coming to your site
Note: Another way to set up these rules is by using API and Terraform.
To begin, log into your Cloudflare dashboard. From there, choose the domain name for which you want to set up Cloudflare Firewall Rules.
Next, click on Firewall from the top sections and then on Firewall Rules.
This section lets you set up a new firewall rule, browse and filter existing rules, activate, deactivate, modify, and delete rules. To try out the below examples, click on Create a Firewall rule.
Example 1 – Block All Countries Except the USA
To block all countries except a single one (in our example, it will be the United States of America), follow the steps below:
- First, give your rule a name.
- From the Field drop-down, choose Country.
- Next, from the Operator drop-down, choose does not equal.
- In the Value drop-down, choose the United States.
- Finally, choose an action drop-down, select Block, and then click on the blue Deploy button in the lower right-hand corner.
Conversely, if you would like to block a single country, pick equals from the Operator drop-down and then follow the procedure as mentioned above.
Expression Editor:
(ip.geoip.country ne “US”)
Example 2 – WordPress Security
WordPress security is an important thing that site owners don’t think much about. Every day, Google blacklists about 10,000+ websites for malware and around 50,000+ websites every week for phishing. It’s essential to keep your WordPress site secure from malware and threats and avoid getting your site blocked.
Why Is WordPress Security Important?
Whether your website is big or small, hackers don’t care about it. One way or the other, they can find different ways to use the information against you. They typically look for your personal and financial information and then try to cause damage to you and your company with the collected info.
Mark Ronso, Marketing Manager at Top Writers Review, said, “a business’s reputation can be seriously damaged due to a hacked website. Hackers commonly install malicious software or viruses to extract the data in the background, which can result in a loss of trust in your business and customers turning to a competitor.”
Hence, to keep your business safe and secure, you’ll need to protect your site through WordPress plugins or a Cloudflare firewall. So, which one is the best, and what’s the difference between the two?
WordPress Plugins vs. Cloudflare Firewall – Which Is Better?
A lot of people choose to install free plugins to handle the security of their site, instead of having to use a third-party tool like Cloudflare – usually, because it’s too complicated or to save money. In reality, Cloudflare doesn’t take long to install and provides you with much more functionality than any other WordPress plugin.
Here are the key differences you should know about:
Cloudflare firewall:
- Cloudflare firewall seamlessly integrates with CDNs like WordPress
- Cloudflare’s Automatic Platform Optimization (APO) caches your site and optimizes the assets, increasing your site’s speed.
- Cloudflare firewall offers a free SSL certificate and DNS service, along with powerful DDoS protection.
- Increases the speed and performance of your site by rewriting insecure URLs dynamically to their secure counterparts.
- Free to get started
WordPress Security Plugins:
- Regularly scans your site for malware code and has a real-time firewall feature that protects your site from known and unknown threats.
- Many free plugins don’t offer features like IP blocking, country blocking, and protection from brute-force logins.
- Some WordPress plugins allow you to rename the login gateways to avoid potential attacks.
- You never know what permissions you’re giving up to the plugin developer.
All things considered, most WordPress plugins don’t increase your site’s speed or offer as many advanced features that Cloudflare firewall provides. Cloudflare firewall is recommended over free security plugins to protect your website from any attacks.
How to Secure Your WordPress Site With Cloudflare Firewall
Repeat the process mentioned above of creating a new firewall rule and naming it, but this time, click on the Edit expression.
By doing so, you are directly accessing the Expression Editor. In the field, paste the following:
((http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains ” /wp-admin/theme-editor.php”)) and ip.geoip.country ne “US”
After that, pick Challenge (Captcha) from the Choose an action drop-down, and then click Deploy.
Now you will have set up a Captcha challenge for all visitors outside the US who attempt to reach WordPress xmlrpc.php, wp-login.php, and /wp-admin (except admin-ajax.php and theme-editor.php), in order to block potential hackers from accessing your WordPress website.
If your login or admin URLs have been changed, feel free to edit the original expression to match.
Example 3 – Block Bad Bot Traffic
Bad bots are assigned to do a number of fraudulent practices and malicious activities like ad scams, malware attacks, and data theft. Around 40% of internet traffic consists of bad bot traffic, and, during the pandemic, there was a 788% increase in bad bot traffic to retail websites globally between September and October 2020, resulting in a loss of $82 million during peak season.
Blocking out bad traffic helps avoid attackers trying to launch a DDoS attack on your site. Most DDoS attacks slow down your site by directing a large amount of traffic towards your site, overloading the server, and making it go offline.
The procedure here is similar to the previous example. The only difference is that you should choose Block from the Choose an action drop-down and paste the following in Expression Editor:
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)
This rule will block bot traffic with user agents containing the strings “crawl,” “bot,” “spider,” and some other custom user agents.
You can rewrite the same rule by using nested parentheses in the following way:
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or ((http.user_agent contains "crawl") or (http.user_agent contains "Crawl") or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")or (http.user_agent contains "Bot" and not http.user_agent contains "Google") or (http.user_agent contains "Spider") or (http.user_agent contains "spider") and not cf.client.bot)
How To Test That Your Firewall Rules Work
Once you’re all set up, you should check to see if your Cloudflare Firewall Rules work. To do this, you can access the Firewall Event Activity Log by going back to the Overview section of the firewall. There, you can see a list of firewall events and details related to them.
Note, checking your Firewall Rules can take some time to do if you don’t get much traffic. If this is the case, wait a couple of days and monitor Google Analytics to make sure there are no abnormalities before returning to Cloudflare and checking the activity log.
The most important thing to look out for are challenge and block events.
When challenge and block events appear on the list, take your time to go through them and see if any good bots were blocked when they shouldn’t have been, or if any known bad bots made it through. You need to make sure no positive traffic gets denied access to your site because of an error in setting up firewall rules.
Summary – Use Cloudflare Firewall Rules To Your Advantage
RunCloud lets you easily manage your server and web application, and seamlessly integrates with Cloudflare. We hope you’ve found this guide useful in setting up & effectively implementing Cloudflare firewall rules to improve the security and performance of your web application.
Get started with RunCloud today.
What firewall rules are you currently deploying via Cloudflare? Let us know & join the conversation in the comments below! 💬
Categories: Tutorials, Security, Server Management, Tips & Tricks
Hey Liew,
BIG thank you for the excellent explanation of how to create and set up firewall rules on CloudFlare and for the example rules. I followed your advice and easily created the rules I needed.
Hi Julian, glad that you found it useful 👍
Hey Liew,
These firewall rules you provide work like a charm to catch the bad guys and protect my site. Much appreciated.
I’d like to add protection against the UserPro <= 4.9.17 – Authentication Bypass attack:
https://wpvulndb.com/vulnerabilities/8950
So I added:
(http.request.uri.path contains "/?up_auto_log=true") or
to the beginning of Example 2 — WordPress Security
NOTE: I experimented with variations like:
– "up_auto_log=true"
– "up_auto_log="
The original protections against attacks for xmlrpc.php, wp-login.php etc. still work but protection against Authentication Bypass attack that I added does NOT work.
Can you please help?
Maybe adding protection to Example 2 — WordPress Security or some other rule you might think better.
I want to add this protection because I often see this attack in my logs.
Thanks for considering my request.
Cheers,
Julian
hi @Julian, based on the link, the plugin fixed the vulnerability at version 4.9.17.1. Also, do not use “admin” for WordPress username.
Hi Liew,
Yes, I know that the vulnerability was fixed and I do not use “admin” as a user name. However, hackers still try to exploit and use this attack method for other reasons such as looking for differences in the server’s response based on the validity of submitted credentials etc.
Do you know how to add this protection to a Firewall rule?
Hi Julian, try to use match URI Query String:
(http.request.uri.query eq "up_auto_log=true")Can anyone tell me that how can I use any CDN. Is there any literature available on internet. Please chare link.
Hi Arijit, what CDN are you trying to configure? Cloudflare is super simple to get started with & is the solution we use & recommend.
Many thanks for this post! I’ve put rules into practice and I’m getting great results.
That’s great, Renato! 👍
Hello,
I applied the rules “Block Bad Bots” and I monitored the blocking of bots. I’ve noticed that Cloudflare is blocking Bingbot
User Agent
Mozilla / 5.0 (compatible; bingbot / 2.0; + http: //www.bing.com/bingbot.htm)
What are the rules for releasing Bingbot?
Thank you
Hi Renato, thanks for the feedback. I can confirm that bingbot is blocked by the rule.
Please find:
or (http.user_agent contains "bot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")then replace it with:
or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter")I also update the code in the article. thank you!
Sir, how to know all about Cloudflare Firewall
MANY THANKS lewis for this posting!
Great article on the security setting of Cloudflare. Thanks a lot, man!
Keep it up, we always follow your suggestions.
Thank you, @Kishore! You make my day 🙂
thank you for this, is their a way we can allow the googlebot but still block the other bots?
Hi Nick Roberts, the googlebot is excluded in the CF firewall rule in the article.
“(http.user_agent contains “Bot” and not http.user_agent contains “Google”) “
Thank you much, Liew, for the Block Bad Bots example. Had been looking for something like that for awhile. Very much appreciated. I hates bad bots.
You’re welcome. Glad it is helpful
Great article
thanks a lot for such useful info.
On the WP security rules what is better
JS Challenge or Challenge (Captcha)?
https://i.imgur.com/TCiCs22.png
Another question…
In your Example 2 — WordPress Security rule
What happens if the hacker/attacker comes from Malaysia? or uses a VPN to use an IP from Malaysia?
Any suggestions to prevent that?
thanks!
This guide help me lot, thanks
Thank you for your awesome CF rules, Liew!
Maybe this will help too:
(http.request.uri.path contains “/wp-content/” and http.request.uri.path contains “.php”) or (http.request.uri.path contains “phpmyadmin”) or (http.request.full_uri contains “../”) or (http.request.full_uri contains “..%2F”) or (http.request.full_uri contains “passwd”) or (http.request.uri contains “/dfs/”) or (http.request.uri contains “/autodiscover/”) or (http.request.uri contains “/wpad.”) or (http.request.full_uri contains “webconfig.txt”) or (http.request.full_uri contains “vuln.”) or (http.request.uri.query contains “base64”) or (http.request.uri.query contains “<script") or (http.request.uri.query contains "%3Cscript") or (http.request.uri.query contains "$_GLOBALS[") or (http.request.uri.query contains "$_REQUEST[") or (http.request.uri.query contains "$_POST[")
Hello, Robi Setiawan. Greetings from Indonesia. I tried your rules on my CF. Unfortunately, it doesnt works. I got an error as screenshot here http://prntscr.com/qeghi8. How to resolve it?
Thank you
Hi, Slamet. Sorry for late reply.
You can use my Cloudflare rules below:
https://blog.situstarget.com/wp-content/uploads/2020/01/Firewall-Rules-for-WordPress.txt
First, rule is to protect WordPress from injection.
Second, rule is to protect WordPress from Bad Spider
Third, rule is to protect WordPress from backdoor
Fourth, rule is to make Cloudflare as your VPN to login WP-admin & WP-Login.php.
thanks for sharing full info
I visit again and again this article help me more. thanks one again.
I have problems with other web pages make hot-linking to my photos. So I will like to make a Firewall Rules, so it is not possible to do this! BUT the Firewall Rules needs to allow Search engines like google and yahoo to index my photos!
Is it something you can help me with!!
Hey Lykke, you can utilize your htaccess file to prevent hotlinking of images. The All In One WP Security & Firewall plugin has the ability to prevent hotlinking of images.
Thanks for your reply.
I don’t think it would work because my web page is served over cloudflare cached. but I’m pretty sure it can be done through a cloudflare Firewall Rules.
I am not an expert so have tried to contact cloudflare. But it is hopeless, because is a new person who answers every time and it is like they do not understand the problem.
Right now I’m using this Firewall Rules below, but not sure it works because my index photos are dropping on google image. But maybe I just need to be a little more patient.
(http.request.method eq “GET” and http.request.uri.path contains “jpg” and not (http.referer contains “my. domain.com/” or cf.client.bot))
Thanks for the rules. They seem to work great!
Hotlink protection is build in in Cloudflare and can be found under the Scrape Shield menu >> Hotlink Protection
Hello,
I have some questions:
1. If I block a certain country, but allow googlebot, will my website be indexed in that country?
2. If I block a certain country, but allow googlebot and it indexed my website there, isnt it cloaking? Because, if googlebot crawls sees my website from that banned country, but users dont, isnt it wrong?
Thank you!
Hey Ana, your website will be indexed if you allow googlebot. If you block a certain country, but allow Googlebot, your site will still show up in search engines but appear as unavailable to those trying to visit from the country you banned.
nice artical
Great article.. I always use Cloudflare it speeds up my website as well.
Hi,
Thank for sharing such a nice post on your blog keep it up and share more.
Great Very Useful Post Thanks For Sharing.
Perfect tutorial, thanks so much.
Please write a tutorial article with page rules on CloudFlare.
Thanks
Rather than using “contains” for some of these rules, you can use “matches”, and use the RE2 match making the expressions a bit shorter. For example, replace: or (http.user_agent contains “Spider”)
or (http.user_agent contains “spider”)
with:
or (http.user_agent matches “[Ss]pider”)
OR, you can use builtin functions, and simply convert the results to all lowercase:
or (lower(http.user_agent) contains “spider”)
Referencing: https://developers.cloudflare.com/firewall/cf-firewall-language/ & https://developers.cloudflare.com/firewall/cf-firewall-rules/fields-and-expressions/
That’s great,
Hi lewis,
The bad bot script is blocking some of the user agent which is useful for me for example it is blocking an uptime bot which checks my website uptime. How do I unblock it? and it is also blocking a ad bot gumgum which is useful to show the ads on my site.
Thanks
Hey Suprim, nothing should be blocked if its just checking uptime.
Great article..⭐⭐⭐⭐⭐
Great article I really like the way you summarize the article on cybersecurity and explain it to us. Thanks a lot
Very helpful post.
Great Content Keep it up
I visit again and again this article help me more. thanks one again.
Great Very Useful Post Thanks For Sharing
Very helpful and valuable information
Great Very Useful Post Thanks
Very brilliant information
Awesome, Very Useful Post Thanks For Sharing
Thank You Dear, i am changed my cloud flare now its working good and faster.
Hello I am actually using that rule below and I would like to know how I can block all countries except “FR” and “CA” in the same rule. for now I can only have FR as an exception thank you.
((http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains ” /wp-admin/theme-editor.php”)) and ip.geoip.country ne “FR”
I visit again and again this article, and it help me more and more. thanks one again.
This is very nice blog.thanks for sharing
Many thanks for this post! I’ve put rules into practice and I’m getting great results.
We were attacked twice over the last two days with over 8.5M requests in 30 minutes. We just launched our company and another company, we think, was trying to take our site down. It was time spent last night going through trust scores, bots, and other things, that I believe, just helped us avert an attack. Yeah!
Thanks so much for your article, thank you very much for sharing that awesome Cloudflare firewall rule.
Best
From Jonathan
Thanks for the explained in details…
My website received so many bots that I have followed your guidelines and put firewall on and thousands of IPs are blocked. Thank you.
Hi there, last year i read your article and applied these settings on nearly 100+ websites of my clients. First of all thank you for the article bro.
I want to know something which i am still confused. You have given this code
(http.user_agent contains “Yandex”) or (http.user_agent contains “muckrack”) or (http.user_agent contains “Qwantify”) or (http.user_agent contains “Sogou”) or (http.user_agent contains “BUbiNG”) or (http.user_agent contains “knowledge”) or (http.user_agent contains “CFNetwork”) or (http.user_agent contains “Scrapy”) or (http.user_agent contains “SemrushBot”) or (http.user_agent contains “AhrefsBot”) or (http.user_agent contains “Baiduspider”) or (http.user_agent contains “python-requests”) or (http.user_agent contains “crawl” and not cf.client.bot) or (http.user_agent contains “Crawl” and not cf.client.bot) or (http.user_agent contains “bot” and not http.user_agent contains “bingbot” and not http.user_agent contains “Google” and not http.user_agent contains “Twitter” and not cf.client.bot) or (http.user_agent contains “Bot” and not http.user_agent contains “Google” and not cf.client.bot) or (http.user_agent contains “Spider” and not cf.client.bot) or (http.user_agent contains “spider” and not cf.client.bot)
The issue in this code is that I think this is blocking the google, bing as well. Should I turn the Google and Bing buttons ON? Example screenshot here = http://prnt.sc/smvm0n
In other words, should I enable the google and bing bot thing? So that both of these bots can access the site without any issue? Why? Because I have been doing SEO on my website https://ezytilingservices.com.au/ which I want to google and bing like search engine to crawl. So, I am still confused that should I be turning those two buttons ON or OFF like you have given in the link?
Hi Aljit,
If you check the given code above again, you will see
and not http.user_agent contains "Google", for example. This “and not” here to make we include bad bots and make sure to exclude good bots (Bing, Google, Twitter, etc).So you just need to copy and paste that long bots blocking rule and follow the steps.
Btw, if you want to check the list of known bots in Cloudflare, you can check it here,
https://developers.cloudflare.com/firewall/known-issues-and-faq/#how-does-firewall-rules-handle-traffic-from-known-bots
Based on what is the blocking done in uptimerobot?
It is an application to monitor the site on the air, I see it as false / positive to block it, and in my analysis that I have done for 2 years of bots, Uptimerobot never appears as a villain, always accessing the URL that is registered. All sites post bots, but don’t know why:
grep -vi “google\|bing” /var/log/nginx/access.log | grep -i “bot\|crawler” | awk -F”\”-\”” ‘{print $2}’ | grep -v “^$” | sort | uniq -c | sort -nr
cat /var/log/nginx/access.log | grep -i “bot\|crawler” | awk -F”\”-\”” ‘{print $2}’ | grep -v “^$” | sort | uniq -c | sort -nr
grep -i “bot\|crawler” /var/log/nginx/access.log | awk -F”\”-\”” ‘{print $2}’ | grep -v “^$” | sort | uniq -c | sort -nr
grep -i “bot\|crawler\|spider\|seo” /var/log/nginx/access.log | awk -F”\”-\”” ‘{print $2}’ | grep -v “^$” | sort | uniq -c | sort -nr
Here are my blocks, based on SEO bots (Semrush), ApacheHttpClient (it is possible to be attacked in dynamic fields of the site), and not to extend the subject too much, the botnet (polaris and XTC):
(http.user_agent contains “AhrefsBot”) or (http.user_agent contains “crawler.feedback@gmail.com”) or (http.user_agent contains “DnyzBot/”) or (http.user_agent contains “Go-http-client”) or (http.user_agent contains “Nimbostratus”) or (http.user_agent contains “python-requests”) or (http.user_agent contains “Scrapy”) or (http.user_agent contains “SeznamBot/”) or (http.user_agent contains “Sogou web spider”) or (http.user_agent contains “spbot”) or (http.user_agent contains “WebDAV-MiniRedir”) or (http.user_agent contains “WinHttp.WinHttpRequest”) or (http.user_agent contains “YaK/”) or (http.user_agent contains “boardreader”) or (http.user_agent contains “VoluumDSP-content-bot”) or (http.user_agent contains “Tailbot”) or (http.user_agent contains “DotBot”) or (http.user_agent contains “MJ12bot”) or (http.user_agent contains “Eyeotabot”) or (http.user_agent contains “OpenVAS-VT”) or (http.user_agent contains “Apache-HttpClient/4.5.2 (Java/1.8.0_151)”) or (http.user_agent contains “Apache-HttpClient”) or (http.user_agent contains “masscan/1.0 (https://github.com/robertdavidgraham/masscan)”) or (http.user_agent contains “Uirusu/2.0”) or (http.user_agent contains “BLEXBot/1.0”) or (http.user_agent contains “BLEXBot”) or (http.user_agent contains “SemrushBot/6~bl”) or (http.user_agent contains “semrush”) or (http.user_agent contains “SemrushBot”) or (http.user_agent contains “SemrushBot/”) or (http.user_agent contains “SemrushBot/1.0~bm”) or (http.user_agent contains “1.0~bm”) or (http.user_agent contains “GrapeshotCrawler/2.0”) or (http.user_agent contains “GrapeshotCrawler”) or (http.user_agent contains “grapeshot.co.uk”) or (http.user_agent contains “AspiegelBot”) or (http.user_agent contains “Seekport”) or (http.user_agent contains “serpstatbot/1.0”) or (http.user_agent contains “serpstatbot”) or (http.user_agent contains “MauiBot”) or (http.user_agent contains “polaris”) or (http.user_agent contains “XTC”) or (http.user_agent contains “Uirusu”) or (http.user_agent contains “puzzles”) or (http.user_agent contains “PycURL”)
* Sorry for my bad English, I’m from Brazil. *
My Rules Basic for Scan Web and Invasion Attempts:
(http.request.uri.path contains “/wp-content/” and http.request.uri.path contains “.php” and http.request.full_uri contains “https://www.yoursite.com/wp-config.php” and http.request.uri.path contains “/wp-json/” and http.request.uri.query contains “author_name=” and http.request.uri.path contains “phpmyadmin” and http.request.full_uri contains “../”) or (http.request.uri contains “..%2F” and http.request.uri contains “passwd” and http.user_agent contains “Nimbostratus” and http.request.method in {“GET” “POST” “HEAD”}) or (http.request.full_uri contains “wp-config.”) or (http.request.uri contains “/dfs/”) or (http.request.uri contains “/autodiscover/”) or (http.request.uri contains “/wpad.”) or (http.request.full_uri eq “webconfig.txt”) or (http.request.full_uri contains “vuln.”) or (http.request.uri.query contains “base64” and http.user_agent contains “Apache-HttpClient/4.5.2 (Java/1.8.0_151)” and http.user_agent contains “check_http/v1.4.15-61-g4d527 (nagios-plugins 1.4.15)” and http.user_agent contains “check_http” and http.user_agent contains “nagios-plugins” and http.user_agent contains “Apache-HttpClient” and http.user_agent contains “OpenVAS-VT” and http.user_agent contains “X11, U; OpenVAS-VT 9.0.3” and http.user_agent contains “OpenVAS” and http.request.uri.query contains “?a=” and http.request.uri contains “?a=” and http.request.full_uri contains “?a=”) or (http.request.uri.path contains “/?utm_source=sniply”) or (http.request.uri contains “/?utm_source=sniply”) or (http.request.uri contains “wget”) or (http.request.uri eq “CONCAT”) or (http.request.uri contains “UNION”) or (http.request.uri contains “NULL”) or (http.request.uri contains “php?php=http”) or (http.request.uri contains “shell”) or (http.request.uri contains “wshell”) or (http.request.uri contains “xshell”) or (http.request.uri contains “ThinkPHP”)
i am facing DNS LOOKUP problem on my site https://lyricsmeanings.com/ . kindly solve this and reply with solution.
Hey Rohit, best to put in a support ticket to get this cleared up quickly.
every thing is explained in so simple manner. i really appriceatr your effort
Probably the best explanation I read so far. Thank you!
Thanks for sharing such nice stuff… keep it up
Thanks a lot, Keep it up, we always follow your suggestions.
Great, glad to hear Vikas – thanks for the support.
Every Thing Is Explained in So Simple Manner. I Really Appriceatr Your Effort
do these rules still work with the new Cloudflare URL normalize?
Hey Ryan, that’s an excellent question. It looks like there may be some changes that need to be made according to their documentation. We’ve made a note of this and will be updating this guide in case there is an extra step involved. Take care & talk soon! 🙂
This article has proved to be very useful for me. That is why I come to this article again and again, I have come today. Thanks again
Great, glad to hear you found it useful Mithun – appreciate you sharing 🙂
This is a great guide, very useful + easy to understand – thank you.
Thank you Mukesh, glad to hear you enjoyed the guide! 🙏
Many thanks for this post! I have changed my Cloudflare configuration and it’s working a lot faster now.
Hey Donna, excellent – glad to hear you found this post useful. Take care & talk soon! 🙏
Thank you very much for sharing Cloudflare Firewall Rules.
Our pleasure Puja, glad to hear you found it useful!
Thank you for providing this information, Its help for me.
Glad to hear you found this helpful Keyur! 🙏
This is a great guide, very useful + easy to understand – thank you.
Thanks for sharing, glad to hear you found it useful Edward!