WAF Rules We Recommend for Cloudflare

The following settings are not only important for Security, and Maintenance, but also to ensure your plugins work properly. Some of the plugins send out data, but some loop back for confirmation so please make sure you go through all 6 steps below and feel free to reach out to us if you have any questions about any of it!

1. DNS

2. Security > Bots

3. Security > WAF > Firewall Rules

See rules below screen shot (just copy and paste them)

 

Rule#1 – Block Russia,China,India and Africa:
Expression:
(http.request.uri.path contains “/wp-login.php” and ip.geoip.country ne “US”) or (http.request.uri.path contains “/wp-admin/” and http.request.uri.path ne “/wp-admin/admin-ajax.php” and ip.geoip.country ne “US”)

Should look like this when done… (click image to enlarge)

Rule#2 – Block WP login and admin outside of US:
Expression:
(ip.geoip.country eq “RU”) or (ip.geoip.country eq “CN”) or (ip.geoip.country eq “IN”) or (ip.geoip.country eq “SG”) or (ip.geoip.continent eq “AF”)

Should look like this when done… (click image to enlarge)

 

4. SSL / TLS

 

WAF Rules We Recommend for Cloudflare