Skip to main content

A selection of Cloudflare WAF rules we use on BlueSix Managed Hosting to protect our client’s website’s.  Anyone can implement these rules using the free plan on Cloudflare.

Update the country block list to what’s appropriate for your client. Don’t block the US, because Google and other services typically come from US-based IPs. Copy the rules below and paste them into the Cloudflare WAF rule “expression builder”

For all rules, apply the “block” action

Country blocks

( in {"AF" "BD" "BN" "CF" "CN" "CZ" "PF" "IR" "IQ" "KZ" "KP" "PK" "PA" "PL" "RO" "RU" "SK" "SI" "LK" "UA" "BG"}) copy text


Login/wp-admin block

(http.request.uri.path contains "/wp-login.php" and ne "[YOUR_COUNTRY]") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php" and ne "[YOUR_COUNTRY]") copy text

I use country – but you can use anything, like your IP address, IP range, AS Num, etc.


Block XMLRPC access and wp-content/wp-includes access block

(http.request.uri eq "/xmlrpc.php") or (http.request.uri.path contains "/wp-content/" and not http.referer contains "[YOUR_DOMAIN_NAME]") or (http.request.uri.path contains "/wp-includes/" and not http.referer contains "[YOUR_DOMAIN_NAME]") copy text

Note that if your site is shared on social media platforms like LinkedIn or Facebook, you’ll want to include and not http.request.uri.path contains "/wp-content/uploads/" as those images won’t contain a site referrer.

Enough Talk, Let's Build Something Together