Blog WordPress How to protect WordPress via Cloudflare WAF Rule?

How to protect WordPress via Cloudflare WAF Rule?

by Sa'ed Hammad

Vulnerabilities, threats and malicious attacks are commonplace nowadays.
Today more than 40% of the world’s internet traffic is bots and a significant portion of that is malicious bots.
Resource: Cloudflare

They are just bots that are constantly looking for possible security flaws in as many indexed domains as possible in order to compromise the site. There are tools that can help you detect these requests and take action like Cloudflare.

Using Cloudflare firewall rules for securing your website is one of the best ways to monitor, control and block bots.
This way is aimed at webmasters who run websites on a Cloudflare-enabled domain. On the free plan, Cloudflare grants five firewall rules that are empty by default.

Cloudflare WAF Rules Tips for Securing WordPress

By adding the below specific rules you can secure WP and block attacks before they even reach your web host’s server.

At your Cloudflare account, from the left menu, go to Security > WAF

Click Create firewall rule

Block wlwmanifest.xml Attack

wlwmanifest.xml is used by Windows Live Writer.

To block wlwmanifest.xml, simply add:

  • Field: URI Path
  • Operator: contains
  • Value: /wlwmanifest.xml

Choose an action: Block

Block xmlrpc.php Attack

You can also block xmlrpc.php one of the most common attacks in the same previous way you did for a wp-includes folder.

Block direct access to PHP files in the wp-content

Block bots hammering the wp-comments-post.php file directly

The rule is as follows:

  • Field: URI Path
  • Operator: equals
  • Value: /wp-comments-post.php


  • Field: Request Method
  • Operator: equals
  • POST


  • Field: Referer
  • Operator: does not contain
  • Value: (replace with your real domain)

Admin Area

About the admin area, I prefer to use other solutions instead Cloudflare like changing the WordPress default URL of the admin login here an Essential Advice for Improve WordPress Security and Performance.
However, I blocked wp-login.php via Cloudflare except in my country because all admins log in from Jordan.
It’s up to you to do this and pick your country instead of mine.

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.