For more than ten years, the Cloudflare team has provided security services to website creators worldwide and is currently helping thousands of businesses maintain and secure their online resources.
Since its creation, Cloudflare has released many strong firewall utilities, such as IP rules, CIDR rules, ASN rules, country rules, and HTTP user-agent blocking, to name a few, and Cloudflare Firewall Rules are a recent addition to these. These rules combine how firewall utilities are used, and provide users with more flexibility and control over how their firewall works.
In this article, you’ll learn everything you need to know about firewalls, how to start implementing and editing Cloudflare Firewall Rules on your website, and why security is so important.
What Are Cloudflare Firewall Rules?
Cloudflare Firewall Rules are a flexible and intuitive framework website owners can use to filter HTTP requests – giving you complete control of which requests are able to reach your application.
Firewall rules integrate well with existing Cloudflare tools, as they allow you to combine multiple techniques into a cohesive set of rules. For example, you can create one rule to block traffic from users matching a particular pattern, instead of having to use three or four different rules in as many places to accomplish the same result.
They also give you the advantage of continuously checking the site traffic and responding accordingly to threats. You can define expressions that inform Cloudflare of what or what not to look at and what kind of action should be taken when those particular requirements are satisfied.
Why Are Firewalls Necessary for Your Website?
Cloudflare is mainly used to decrease web page load speed and protect your site from online threats. It also fights against spammers, malware injections, and DDoS attacks.
Around 70% of WordPress installations are prone to hackers, making it more necessary to use Firewalls from Cloudflare to protect your site from unwanted threats. Some of the reasons why firewalls are required for your website are:
- Cloudflare utilizes three different types of minification, JavaScript, CSS, and HTML, to reduce file size and increase load speeds by removing unwanted white spaces, newline delimiters, and unnecessary characters.
- With the introduction of HTTP/3, Cloudflare supports multiple page elements parallelly over a single TCP connection along with push technology and header compression.
- Cloudflare WAF protects your site from many vulnerabilities that popular CMS tools (WordPress, Joomla, etc.) are prone to. Cloudflare WAF has more than 145 rules to protect your site from all types of web application attacks.
- Cloudflare has a rate-limiting function that helps mitigate DOS attacks, brute force login attempts, and other malicious intent against the application layer. The rate-limiting function allows you to configure thresholds, define responses, and gain insights on websites.
As you can see, Cloudflare not only improves SEO by speeding up your website, it provides a whole host of advanced security features to protect your site from attacks.
Cloudflare Firewall Rules – Matching & Actions
Cloudflare Firewall Rules are made up of two main functionalities: Matching, which lets you define a filter to precisely match your traffic, and Actions, through which you determine the action Cloudflare will take after you set the matching filter.
Matching
Matching lets you filter out any incoming traffic to your website. For example, if you wanted to restrict certain countries, redirect visitors to a location-specific page, or filter out particular IP addresses, then you would use matching rules to do this.
Among the most important features Cloudflare is introducing is the known bots (cf.client.bot) field. It provides you with a Cloudflare-approved list of good bots obtained through reverse DNS lookups. You will find a comprehensive list of bots approved by sites such as Google, Yahoo, Bing, Linkedin, Apple, and more.
Note: Since the “allow listing” function has been removed, it’s recommended that you include cf.client.bot in an Allowed rule. This would prevent Cloudflare Firewall Rules from unintentionally blocking good crawlers.
What’s more, Cloudflare Firewall Rules also come with an algorithm that gives a threat score to IPs by measuring their online reputation. The threat score ranges from 0 to 100 and is divided into the following categories:
- High – for scores from 0 to 13;
- Medium – for scores from 14 to 23;
- Low – for scores from 24 to 48;
- Essentially Off – for scores greater than 49.
However, setting up matching rules alone won’t achieve much. This is where Actions come in.
Actions
With matching filters set up, you can instruct Cloudflare Firewall Rules to apply the standard Cloudflare actions (Block, JavaScript Challenge, and Challenge) as well as the new Allow action.
- Block: used for blocking traffic from getting access to your web application.
- JavaScript Challenge: used to block traffic from visitors who don’t have JavaScript support, which is usually bots.
- Challenge (Captcha): used to set up a Captcha challenge to block potential bots.
- Allow: used for allowing visitors access to your web application.
Three Examples of Cloudflare Firewall Rules In Action
In this section, you’ll find three ways to set up Cloudflare Firewall Rules by using the dashboard and why they might be helpful.
We’ll be covering:
- How to block particular countries from visiting your site
- How to make your WordPress site more secure with captcha
- How to prevent bad bot traffic from coming to your site
Note: Another way to set up these rules is by using API and Terraform.
To begin, log into your Cloudflare dashboard. From there, choose the domain name for which you want to set up Cloudflare Firewall Rules.
Next, click on Firewall from the top sections and then on Firewall Rules.
This section lets you set up a new firewall rule, browse and filter existing rules, activate, deactivate, modify, and delete rules. To try out the below examples, click on Create a Firewall rule.
Example 1 – Block All Countries Except the USA
To block all countries except a single one (in our example, it will be the United States of America), follow the steps below:
- First, give your rule a name.
- From the Field drop-down, choose Country.
- Next, from the Operator drop-down, choose does not equal.
- In the Value drop-down, choose the United States.
- Finally, choose an action drop-down, select Block, and then click on the blue Deploy button in the lower right-hand corner.
Conversely, if you would like to block a single country, pick equals from the Operator drop-down and then follow the procedure as mentioned above.
Expression Editor:
(ip.geoip.country ne “US”)
Example 2 – WordPress Security
WordPress security is an important thing that site owners don’t think much about. Every day, Google blacklists about 10,000+ websites for malware and around 50,000+ websites every week for phishing. It’s essential to keep your WordPress site secure from malware and threats and avoid getting your site blocked.
Why Is WordPress Security Important?
Whether your website is big or small, hackers don’t care about it. One way or the other, they can find different ways to use the information against you. They typically look for your personal and financial information and then try to cause damage to you and your company with the collected info.
Mark Ronso, Marketing Manager at Top Writers Review, said, “a business’s reputation can be seriously damaged due to a hacked website. Hackers commonly install malicious software or viruses to extract the data in the background, which can result in a loss of trust in your business and customers turning to a competitor.”
Hence, to keep your business safe and secure, you’ll need to protect your site through WordPress plugins or a Cloudflare firewall. So, which one is the best, and what’s the difference between the two?
WordPress Plugins vs. Cloudflare Firewall – Which Is Better?
A lot of people choose to install free plugins to handle the security of their site, instead of having to use a third-party tool like Cloudflare – usually, because it’s too complicated or to save money. In reality, Cloudflare doesn’t take long to install and provides you with much more functionality than any other WordPress plugin.
Here are the key differences you should know about:
Cloudflare firewall:
- Cloudflare firewall seamlessly integrates with CDNs like WordPress
- Cloudflare’s Automatic Platform Optimization (APO) caches your site and optimizes the assets, increasing your site’s speed.
- Cloudflare firewall offers a free SSL certificate and DNS service, along with powerful DDoS protection.
- Increases the speed and performance of your site by rewriting insecure URLs dynamically to their secure counterparts.
- Free to get started
WordPress Security Plugins:
- Regularly scans your site for malware code and has a real-time firewall feature that protects your site from known and unknown threats.
- Many free plugins don’t offer features like IP blocking, country blocking, and protection from brute-force logins.
- Some WordPress plugins allow you to rename the login gateways to avoid potential attacks.
- You never know what permissions you’re giving up to the plugin developer.
All things considered, most WordPress plugins don’t increase your site’s speed or offer as many advanced features that Cloudflare firewall provides. Cloudflare firewall is recommended over free security plugins to protect your website from any attacks.
How to Secure Your WordPress Site With Cloudflare Firewall
Repeat the process mentioned above of creating a new firewall rule and naming it, but this time, click on the Edit expression.
By doing so, you are directly accessing the Expression Editor. In the field, paste the following:
((http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains ” /wp-admin/theme-editor.php”)) and ip.geoip.country ne “US”
After that, pick Challenge (Captcha) from the Choose an action drop-down, and then click Deploy.
Now you will have set up a Captcha challenge for all visitors outside the US who attempt to reach WordPress xmlrpc.php, wp-login.php, and /wp-admin (except admin-ajax.php and theme-editor.php), in order to block potential hackers from accessing your WordPress website.
If your login or admin URLs have been changed, feel free to edit the original expression to match.
Example 3 – Block Bad Bot Traffic
Bad bots are assigned to do a number of fraudulent practices and malicious activities like ad scams, malware attacks, and data theft. Around 40% of internet traffic consists of bad bot traffic, and, during the pandemic, there was a 788% increase in bad bot traffic to retail websites globally between September and October 2020, resulting in a loss of $82 million during peak season.
Blocking out bad traffic helps avoid attackers trying to launch a DDoS attack on your site. Most DDoS attacks slow down your site by directing a large amount of traffic towards your site, overloading the server, and making it go offline.
While the list of user agents to block may vary based on your specific needs, here are some common ones to consider:
- Yandex: A Russian search engine bot.
- muckrack: Associated with media monitoring services.
- Qwantify: A bot from the Qwant search engine.
- Sogou: A Chinese search engine bot.
- BUbiNG: A web crawler.
- CFNetwork: Associated with Apple’s networking framework. While legitimate Apple users utilize CFNetwork, some malicious bots or scrapers may also impersonate it.
- Scrapy: A Python-based web crawling framework.
- SemrushBot: Associated with the Semrush SEO tool.
- AhrefsBot: A bot from the Ahrefs SEO tool.
- Baiduspider: A bot from the Baidu search engine.
- python-requests: A Python library for making HTTP requests.
- Various “crawl” and “spider” user agents: These may include legitimate search engine bots, but it’s essential to filter out excessive or suspicious crawling behavior.
The procedure here is similar to the previous example. The only difference is that you should choose Block from the Choose an action drop-down and paste the following in Expression Editor:
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter" and not cf.client.bot) or (http.user_agent contains "Bot" and not http.user_agent contains "Google" and not cf.client.bot) or (http.user_agent contains "Spider" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot)
This rule will block bot traffic with user agents containing the strings “crawl,” “bot,” “spider,” and some other custom user agents.
Remember that blocking user agents should be done thoughtfully. Regularly review your website logs and adjust your blocking rules as needed to strike a balance between security, performance, and user experience.
How To Test That Your Firewall Rules Work
Once you’re all set up, you should check to see if your Cloudflare Firewall Rules work. To do this, you can access the Firewall Event Activity Log by going back to the Overview section of the firewall. There, you can see a list of firewall events and details related to them.
Note, checking your Firewall Rules can take some time to do if you don’t get much traffic. If this is the case, wait a couple of days and monitor Google Analytics to make sure there are no abnormalities before returning to Cloudflare and checking the activity log.
The most important thing to look out for are challenge and block events.
When challenge and block events appear on the list, take your time to go through them and see if any good bots were blocked when they shouldn’t have been, or if any known bad bots made it through. You need to make sure no positive traffic gets denied access to your site because of an error in setting up firewall rules.
Summary – Use Cloudflare Firewall Rules To Your Advantage
RunCloud lets you easily manage your server and web application, and seamlessly integrates with Cloudflare. We hope you’ve found this guide useful in setting up & effectively implementing Cloudflare firewall rules to improve the security and performance of your web application.
Get started with RunCloud today.
What firewall rules are you currently deploying via Cloudflare? Let us know & join the conversation in the comments below! 💬