Cloudflare Firewall Rules For WordPress Site Speed & Security

We’re massive fans of Cloudflare and deploy it as part of our speed optimization services.

Cloudflare has an amazing range of features and options and a lot of the features go unused or under leveraged. In this post we’ll share three Cloudflare that will both help improve the security or your WordPress site and at the same time also reduce the load on your site and help speed it up.

These are really easy to setup and if you’re moderately tech savvy will take you maybe 10-15 minutes. Click the images to enlarge.

These rules and settings with not only improve your site security but they’ll reduce load on your site, improve your site speed and may also help give your site an SEO boost.

Cloudflare Firewall Rules for WordPress

How to add Cloudflare Firewall rules

Firewall rules can be added under the Firewall menu->Firewall Rules tab in Cloudflare. The free plan gives you up to 5 rules so these can be added at no cost.

Once you add a rule it takes effect almost immediately.

How to add Cloudflare Firewall rules
Add rules under Firewall->Firewall Rules (click to enlarge)

1. Block access to XMLRPC.php

This is an older WordPress API interface that is very rarely used but is a vector for many attacks.

Hammering this file with requests can very quickly chew up a lot of CPU cycles and on a shared host or host with low CPU or resources available it may start throwing 502 and 504 errors.

Block XMLRPC using Cloudflare
Blocking the XMLRPC interface in Cloudflare can significantly reduce CPU load particularly on slower hosts or shared hosting (click to enlarge)

2. Block SEO Bots & Crawlers

With this rule we block traffic from Ahrefs, Semrush and Opensite explorer (SEO Moz bot) SEO bots.

These are extremely aggressive crawlers and particularly on Woocommerce they’ll rapidly add and remove things from the cart multiple times per second again chewing a lot of CPU resources.

In addition, allowing them to crawl the site will also divulge some SEO information that competitors using these SEO tools may find useful.

Block SEO bots and crawlers using Cloudflare
SEO crawlers can be super aggressive and also divulge information about your site you probably don’t want to share with competitors. This blocks the three most aggressive bots we see. (click to enlarge)

3. Block Brute Force Attacks On The WordPress Logon Page

The typical WordPress site we see can get anywhere from 1000-10000 brute force logon attempts a day.

Adding a rule to show a captcha message to visitors hitting this page OR visitors hitting this page outside the home country of the site can dramatically reduce brute force password attempts and reduce a lot of load on the hosting.

Copy and paste the code in the box below into the “edit expression” in the rule setup which will create this rule for you:

(http.request.uri contains "wp-login.php" and not ip.src.country in {"US"})
The WordPress logon page attracts a huge number of brute force password attempts, showing a captcha message before visitors can see this page will filter 99.99% of brute force attempts (click to enlarge)

4. Filter Traffic Outside Your Target Country

This is a fantastic rule for sites in highly competitive industries where things like negative SEO or hacking attempts are common.

This rule will run traffic outside your target country through a Cloudflare Managed Challenge and will filter non-genuine traffic. We’ve used this rule or variations of it on 100s of sites to protect against all sorts of attacks including things like click fraud.

Note that the “well-known” rule is in place so as not to break the SSL certificate generation/renewal process and the “uptime” user agent rule will stop uptime tools from being blocked.

This rule WILL block legitimate third party apps and APIs if you’re using them so you’ll need to add additional user agents as needed for whatever tools you’re using with your site.

You can also filter by continent, for example for if your site is targeting the EU and you can filter traffic outside of Europe.

You can copy and paste the code below into the “edit expression” box and it’ll create this rule for you:

(not ip.src.country in {"US" "CA"} and not cf.client.bot and not http.request.uri.path contains "well-known" and not http.user_agent contains "uptime")

5. Enable HSTS For Better Security, Lower TTFB and *Maybe Better SEO

HSTS stands for HTTP Strict Transport Security – with HSTS enabled, your site will be more secure, will load faster for repeat visitors via improved TTFB timings and in some cases we’ve seen SEO ranking improvements as a result as in some cases it can resolve canonical SEO issues.

You can enable HSTS inside Cloudflare’s SSL settings to achieve this BUT note that you MUST have an SSL certificate before you enable HSTS otherwise your site may become inaccessible.

Membership sites and WooCommerce sites will benefit the most from enabling HSTS, as typically those are dealing with sensitive user data and typically have more repeat visitors, but all types of sites will benefit from enabling it.

The HSTS settings are available under SSL/TLS->Edge Certificates – click play on the video for a walkthrough

Related Posts & Resources

SiteSpeedBot Website Speed Test Tool

The Best WordPress Hosting for Speed

The Fastest Woocommerce Themes

Leave a comment