A selection of Cloudflare WAF rules we use on BlueSix Managed Hosting to protect our client’s website’s. Anyone can implement these rules using the free plan on Cloudflare.
Update the country block list to what’s appropriate for your client. Don’t block the US, because Google and other services typically come from US-based IPs. Copy the rules below and paste them into the Cloudflare WAF rule “expression builder”
For all rules, apply the “block” action
Country blocks
(ip.geoip.country in {"AF" "BD" "BN" "BG" "CF" "CN" "CZ" "PF" "IR" "IQ" "KZ" "KP" "PK" "PA" "PL" "RO" "RU" "SC" "SK" "SI" "LK" "TR" "TM" "UA"})
copy text
Login/wp-admin block
(http.request.uri.path contains "/wp-login.php" and ip.geoip.country ne "[YOUR_COUNTRY]") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php" and ip.geoip.country ne "[YOUR_COUNTRY]")
copy text
I use country – but you can use anything, like your IP address, IP range, AS Num, etc.
Block XMLRPC access and wp-content/wp-includes access block
(http.request.uri eq "/xmlrpc.php") or (http.request.uri.path contains "/wp-content/" and not http.referer contains "[YOUR_DOMAIN_NAME]") or (http.request.uri.path contains "/wp-includes/" and not http.referer contains "[YOUR_DOMAIN_NAME]")
copy text
Note that if your site is shared on social media platforms like LinkedIn or Facebook, you’ll want to include and not http.request.uri.path contains "/wp-content/uploads/"
as those images won’t contain a site referrer.