Basic WAF Cloudflare Setup

Last update:

When it comes to website security Cloudflare is a great tool to handle security on DNS level. This approach is beneficial, because the attempts would not even reach the server. This article will show you where to set up firewall (WAF) rules on the Couldflare dashboard and what are my basic rules.

WAF Setup Location

Once logging in to Cloudflare Dashboard choose the domain you want to manage. Then follow these steps:

1. Go to the Security tab on the left panel. 2. Click on WAF. 3. Click on Create firewall rule.
  1. Go to the Security tab on the left panel.
  2. Click on WAF.
  3. Click on Create firewall rule.
Steps to t
  1. Type in whatever name of the firewall rule.
  2. Click on Edit expression. Paste the code below to the editable textarea field and make the neccessary changes.
  3. Click the button Deploy firewall rule.

And that’s it. You have set the rule.

The Code

It is almost a copy-paste code. Please pay attention to the second row to last. It says ip.geoip.country ne “HU” and. Replace HU with the county code. You may wonder what is this. Well, this snippet limits the country of the visitors IP to a specific one, in this case to Hungary, if the one wants to visit any link containing wp-admin or wp-login.php. This way only visitors from that country can visit the login page of the website.

(cf.threat_score gt 14) or 
(http.request.full_uri contains "wp-config.") or 
(http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".php") or 
(http.request.uri.path contains "phpmyadmin") or 
(http.request.uri.path contains "/xmlrpc.php") or 
(http.request.full_uri contains "passwd") or 
(http.request.uri.query contains "author_name=") or 
(http.request.uri.query contains "author=" and not http.request.uri.path contains "/wp-admin/export.php") or 
(http.request.uri contains "/wp-json/wp/v2/users/") or 
(http.request.full_uri contains "../") or 
(http.request.full_uri contains "..%2F") or 
(http.request.full_uri contains "vuln.") or 
(http.request.uri.query contains "base64") or 
(http.request.uri.query contains "<script") or 
(http.request.uri.query contains "%3Cscript") or 
(http.request.uri.query contains "$_GLOBALS[") or 
(http.request.uri.query contains "$_REQUEST[") or 
(http.request.uri.query contains "$_POST[") or 
(http.request.uri contains "<?php") or 
(http.request.uri contains ".sql") or 
(http.request.uri contains ".bak") or 
(http.request.uri contains ".cfg") or 
(http.request.uri contains ".env") or 
(http.request.uri contains ".ini") or 
(http.request.uri contains ".log") or 
(http.request.full_uri contains "/license.txt") or 
(http.request.full_uri contains "/readme.html" and ip.geoip.country ne "HU" and 
http.request.uri.path contains "wp-login.php" and 
http.request.uri.path contains "wp-admin")

By applying this simple method you can make your WordPress website much more secure.