Using Cloudflare with WordPress

Last Updated: 15. 10. 2020Categories: IT, Wordpress

Using Cloudflare with WordPress is very easy. First of all, you will need to register on cloudflare.com and on your wordpress website install plugin called Cloudflare.

https://www.youtube.com/watch?v=7hY3gp_-9EU
https://www.youtube.com/watch?v=uqlo3lCqiy0

After succesfull registration on Cloudflare, you can start setup these firewall rules and page rules.

https://www.youtube.com/watch?v=hT2wFNDg9mk

Add Cloudflare IPs to .httaccess file:

  • Allow from 173.245.48.0/20
  • Allow from 103.21.244.0/22
  • Allow from 103.22.200.0/22
  • Allow from 103.31.4.0/22
  • Allow from 141.101.64.0/18
  • Allow from 108.162.192.0/18
  • Allow from 190.93.240.0/20
  • Allow from 188.114.96.0/20
  • Allow from 197.234.240.0/22
  • Allow from 198.41.128.0/17
  • Allow from 162.158.0.0/15
  • Allow from 104.16.0.0/12
  • Allow from 172.64.0.0/13
  • Allow from 2400:cb00::/32
  • Allow from 2405:8100::/32
  • Allow from 2405:b500::/32
  • Allow from 2606:4700::/32
  • Allow from 2803:f800::/32
  • Allow from 2c0f:f248::/32
  • Allow from 2a06:98c0::/29

Firewall rule 1 – Content protection

Choose an action – Block

(http.request.uri.query contains "author_name=") or (http.request.uri.query contains "author=" and not http.request.uri.path contains "/wp-admin/export.php") or (http.request.full_uri contains "wp-config.") or (http.request.uri.path contains "/wp-json/") or (http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".php") or (http.request.uri.path contains "phpmyadmin") or (http.request.uri.path contains "/phpunit") or (http.request.full_uri contains "<?php") or (http.cookie contains "<?php") or (http.request.full_uri contains "../") or (http.request.full_uri contains "..%2F") or (http.request.full_uri contains "passwd") or (http.request.uri contains "/dfs/") or (http.request.uri contains "/autodiscover/") or (http.request.uri contains "/wpad.") or (http.request.full_uri contains "webconfig.txt") or (http.request.full_uri contains "vuln.") or (http.request.uri.query contains "base64") or (http.request.uri.query contains "<script") or (http.request.uri.query contains "%3Cscript") or (http.cookie contains "<script") or (http.referer contains "<script") or (http.request.uri.query contains "$_GLOBALS[") or (http.request.uri.query contains "$_REQUEST[") or (http.request.uri.query contains "$_POST[")

Firewall rule 2 – WordPress Security

Choose an action – Challange (Captcha)

((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php"))

Firewall rule 3 – Block bad bots

Choose an action – Block

(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)

Page rule 1 – *domain.com/wp-admin*

The first rule we will set up is for the admin URL wp-admin*.

  • Set the Browser Integrity Check to On.
  • Browser Cache TTL to 30 min – This controls how long resources cached by client browsers remain valid.
  • Always Online to Off – This rule should be set for pages that you never want to cache data for.
  • Security Level to I am under attack – This determines how high is a threat from the visitor and if the visitor should see a challenge page.
  • Cache Level to Bypass
  • Disable Apps – This turns off all Cloudflare apps.
  • Disable Performance – This turns off other performance related features from Cloudflare like Auto Minify Rocket, Mirage and Polish.

Page rule 2 – *domain.com/wp-content*

  • Set the Cache Level to Cache Everything
  • Edge Cache TTL to a day – This will cache all files matching that URL to a day in Cloudflare edge server.
https://www.youtube.com/watch?v=gjggRY9pbSE

Page rule 3 – *domain.com/wp-login.php*

  • Set the Browser Integrity Check to On.
  • Security Level to I am under attack – This determines how high is a threat from the visitor and if the visitor should see a challenge page.

Tools for testing CDN

Komentáře

Podobné příspěvky