Vulnerabilities, threats and malicious attacks are commonplace nowadays.
Today more than 40% of the world’s internet traffic is bots and a significant portion of that is malicious bots.
Resource: Cloudflare
They are just bots that are constantly looking for possible security flaws in as many indexed domains as possible in order to compromise the site. There are tools that can help you detect these requests and take action like Cloudflare.
Using Cloudflare firewall rules for securing your website is one of the best ways to monitor, control and block bots.
This way is aimed at webmasters who run websites on a Cloudflare-enabled domain. On the free plan, Cloudflare grants five firewall rules that are empty by default.
Cloudflare WAF Rules Tips for Securing WordPress
By adding the below specific rules you can secure WP and block attacks before they even reach your web host’s server.
At your Cloudflare account, from the left menu, go to Security > WAF
Click Create firewall rule
Block wlwmanifest.xml Attack
wlwmanifest.xml is used by Windows Live Writer.
To block wlwmanifest.xml, simply add:
- Field: URI Path
- Operator: contains
- Value: /wlwmanifest.xml
Choose an action: Block
Block xmlrpc.php Attack
You can also block xmlrpc.php one of the most common attacks in the same previous way you did for a wp-includes folder.
Block direct access to PHP files in the wp-content
Block bots hammering the wp-comments-post.php file directly
The rule is as follows:
- Field: URI Path
- Operator: equals
- Value: /wp-comments-post.php
[AND]
- Field: Request Method
- Operator: equals
- POST
[AND]
- Field: Referer
- Operator: does not contain
- Value: yoursite.com (replace with your real domain)
Admin Area
About the admin area, I prefer to use other solutions instead Cloudflare like changing the WordPress default URL of the admin login here an Essential Advice for Improve WordPress Security and Performance.
However, I blocked wp-login.php via Cloudflare except in my country because all admins log in from Jordan.
It’s up to you to do this and pick your country instead of mine.