Using Cloudflare with WordPress

Using Cloudflare with WordPress is very easy. First of all, you will need to register on cloudflare.com and on your wordpress website install plugin called Cloudflare.

https://www.youtube.com/watch?v=7hY3gp_-9EU

https://www.youtube.com/watch?v=uqlo3lCqiy0

After succesfull registration on Cloudflare, you can start setup these firewall rules and page rules.

https://www.youtube.com/watch?v=hT2wFNDg9mk

Add Cloudflare IPs to .httaccess file:

• Allow from 173.245.48.0/20
• Allow from 103.21.244.0/22
• Allow from 103.22.200.0/22
• Allow from 103.31.4.0/22
• Allow from 141.101.64.0/18
• Allow from 108.162.192.0/18
• Allow from 190.93.240.0/20
• Allow from 188.114.96.0/20
• Allow from 197.234.240.0/22
• Allow from 198.41.128.0/17
• Allow from 162.158.0.0/15
• Allow from 104.16.0.0/12
• Allow from 172.64.0.0/13
• Allow from 2400:cb00::/32
• Allow from 2405:8100::/32
• Allow from 2405:b500::/32
• Allow from 2606:4700::/32
• Allow from 2803:f800::/32
• Allow from 2c0f:f248::/32
• Allow from 2a06:98c0::/29

Firewall rule 1 – Content protection

Choose an action – Block

(http.request.uri.query contains "author_name=") or (http.request.uri.query contains "author=" and not http.request.uri.path contains "/wp-admin/export.php") or (http.request.full_uri contains "wp-config.") or (http.request.uri.path contains "/wp-json/") or (http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".php") or (http.request.uri.path contains "phpmyadmin") or (http.request.uri.path contains "/phpunit") or (http.request.full_uri contains "<?php") or (http.cookie contains "<?php") or (http.request.full_uri contains "../") or (http.request.full_uri contains "..%2F") or (http.request.full_uri contains "passwd") or (http.request.uri contains "/dfs/") or (http.request.uri contains "/autodiscover/") or (http.request.uri contains "/wpad.") or (http.request.full_uri contains "webconfig.txt") or (http.request.full_uri contains "vuln.") or (http.request.uri.query contains "base64") or (http.request.uri.query contains "<script") or (http.request.uri.query contains "%3Cscript") or (http.cookie contains "<script") or (http.referer contains "<script") or (http.request.uri.query contains "$_GLOBALS[") or (http.request.uri.query contains "$_REQUEST[") or (http.request.uri.query contains "$_POST[")

Firewall rule 2 – WordPress Security

Choose an action – Challange (Captcha)

((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php"))

Firewall rule 3 – Block bad bots

Choose an action – Block

(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)

Page rule 1 – *domain.com/wp-admin*

The first rule we will set up is for the admin URL wp-admin*.

• Set the Browser Integrity Check to On.
• Browser Cache TTL to 30 min – This controls how long resources cached by client browsers remain valid.
• Always Online to Off – This rule should be set for pages that you never want to cache data for.
• Security Level to I am under attack – This determines how high is a threat from the visitor and if the visitor should see a challenge page.
• Cache Level to Bypass
• Disable Apps – This turns off all Cloudflare apps.
• Disable Performance – This turns off other performance related features from Cloudflare like Auto Minify Rocket, Mirage and Polish.

Page rule 2 – *domain.com/wp-content*

• Set the Cache Level to Cache Everything
• Edge Cache TTL to a day – This will cache all files matching that URL to a day in Cloudflare edge server.

https://www.youtube.com/watch?v=gjggRY9pbSE

Page rule 3 – *domain.com/wp-login.php*

• Set the Browser Integrity Check to On.
• Security Level to I am under attack – This determines how high is a threat from the visitor and if the visitor should see a challenge page.

Tools for testing CDN

• Checking ping – https://tools.keycdn.com/performance
• Checking Cache Status – https://cf-cache-status.net/
• Speed test – https://www.uptrends.com/tools/cdn-performance-check