3 Cloudflare Rules to Improve WordPress Site Speed & Security

3 Cloudflare Rules to Improve WordPress Site Speed & Security 3

We’re massive fans of Cloudflare and deploy it as part of our speed optimization services.

Cloudflare has an amazing range of features and options and a lot of the features go unused or under leveraged. In this post we’ll share three Cloudflare that will both help improve the security or your WordPress site and at the same time also reduce the load on your site and help speed it up.

These are really easy to setup and if you’re moderately tech savvy will take you maybe 10-15 minutes. Click the images to enlarge.

How to add Cloudflare Firewall rules

Firewall rules can be added under the Firewall menu->Firewall Rules tab in Cloudflare. The free plan gives you up to 5 rules so these can be added at no cost.

Once you add a rule it takes effect almost immediately.

How to add Cloudflare Firewall rules
Add rules under Firewall->Firewall Rules (click to enlarge)

1. Block access to XMLRPC.php

This is an older WordPress API interface that is very rarely used but is a vector for many attacks.

Hammering this file with requests can very quickly chew up a lot of CPU cycles and on a shared host or host with low CPU or resources available it may start throwing 502 and 504 errors.

Block XMLRPC using Cloudflare
Blocking the XMLRPC interface in Cloudflare can significantly reduce CPU load particularly on slower hosts or shared hosting (click to enlarge)

2. Block SEO Bots & Crawlers

With this rule we block traffic from Ahrefs, Semrush and Opensite explorer (SEO Moz bot) SEO bots.

These are extremely aggressive crawlers and particularly on Woocommerce they’ll rapidly add and remove things from the cart multiple times per second again chewing a lot of CPU resources.

In addition, allowing them to crawl the site will also divulge some SEO information that competitors using these SEO tools may find useful.

Block SEO bots and crawlers using Cloudflare
SEO crawlers can be super aggressive and also divulge information about your site you probably don’t want to share with competitors. This blocks the three most aggressive bots we see. (click to enlarge)

3. Show a captcha message on the WordPress logon page

The typical WordPress site we see can get anywhere from 1000-10000 brute force logon attempts a day.

Adding a rule to show a captcha message to visitors hitting this page OR visitors hitting this page outside the home country of the site can dramatically reduce brute force password attempts and reduce a lot of load on the hosting.

3 Cloudflare Rules to Improve WordPress Site Speed & Security 4
The WordPress logon page attracts a huge number of brute force password attempts, showing a captcha message before visitors can see this page will filter 99.99% of brute force attempts (click to enlarge)

Related Posts & Resources

SiteSpeedBot Website Speed Test Tool

The Best WordPress Hosting for Speed

The Fastest Woocommerce Themes