Rule 1: Allow Good Bots | Rule 2: Block Potentially Malicious Requests | Rule 3: Block Bad Bots | Rule 4: JS Challenge
In some cases I want to keep bots off a page, but I don’t want to block or unduly inconvenience humans. A JavaScript challenge will display an interstitial page for about five seconds while Cloudflare performs a magical check to verify the visitor is human. Suspected bots will be served a Captcha.
Read more Cloudflare Firewall Rules for WordPress: JS Challenge
Rule 1: Allow Good Bots | Rule 2: Block Potentially Malicious Requests | Rule 3: Block Bad Bots | Rule 4: JS Challenge
Good bots are whitelisted by Rule 1. Some bad bots will be blocked by Rule 2. I’d like Rule 3 to block *all* remaining bots, but that isn’t possible as far as I know. I’ll block as many as I can.
Read more Cloudflare Firewall Rules for WordPress: Block Bad Bots
Rule 1: Allow Good Bots | Rule 2: Block Potentially Malicious Requests | Rule 3: Block Bad Bots | Rule 4: JS Challenge
The order of the next three rules is less important. It makes a difference in terms of logging – if a bot is blocked by rule 2 it won’t be logged by rule 3 – but not in effectiveness. Rule 2 blocks potentially malicious requests, whether they originate from bad bots or humans. This is a long rule set, so I’ll break it down.
I want to block …
Read more Cloudflare Firewall Rules for WordPress: Block Potentially Malicious Requests
I don’t find much information on the interwebs about free-tier Cloudflare firewalls rules optimized specifically for WordPress security. So, I’ve been slowly building and tweaking my own. As of today I have four rules …
Read more Cloudflare Firewall Rules for WordPress: Allow Good Bots
These points have been made before – here and many other places – but bear repeating given the prevalence of WordPress hacks being reported … Read more Don’t get hacked
Border Gateway Protocol (BGP) is the postal service of the Internet … when someone submits data across the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route
BGP is an essential Internet protocol. But it has a weakness. It can occasionally go wonky, either by accident or by malicious actions. For example, routing large amounts of Internet traffic through a Russian-government-owned ISP. Read more Is it safe? Cloudflare’s BGP checker.
security.txt is a draft Internet standard, proposed way back in September 2017. It is a simple text file in my root directory that contains my contact information.
In late January 2020, Jeff Starr of Perishable Press transitioned the 7G Firewall from beta to production, but I just caught wind of it today.
Doing some routine firewall tinkering in Cloudflare, I happened to notice that my IP whitelist – which I have never deliberately added anything to – had grown huge. Apparently it had been growing slowly over the years, I just didn’t notice.
Read more Cloudflare and the Incredible Magical Expanding IP Whitelist
Along with DNSSEC, HTTP Strict Transport Security (HSTS) is an important but under-implemented web security protocol. Unlike DNSSEC though, HSTS seems to finally be on its way, slowly but steadily, toward widespread implementation. HSTS is currently used by about 12.5% of all websites, and is supported by newer versions of major web browsers. Read more HSTS
One of the many great reasons to use Cloudflare is its easy-breezy, user-friendly support for DNSSEC, even on the free tier. Read more DNSSEC – why is it so rarely used?
Cloudflare offers a field called cf.client.bot that I can use to avoid having my firewall rules inadvertently block search engines and other good bots. But what does Cloudflare consider a “good bot”, and does their definition match mine? Kinda hard to say. Cloudflare does not make an up-to-date list of good bots available to the public. But, I can set a firewall rule to Allow cf.client.bot, then monitor the firewall event log over time to see which bots are being allowed. I’m unlikely to catch all the good bots, but I will get a pretty good idea. Read more Good bots
What bots should I welcome onto my site, and which should I block? Ideally, I’d like to allow only good bots, and block all others. This turns out to be impractical to achieve, but I’ll do the best I can.
Read more Battling the BotsA hacker outfit calling itself WP-VCD has become a prevalent source of malware infections by exploiting a basic human weakness – our love of free stuff.
