I don’t find much information on the interwebs about free-tier Cloudflare firewalls rules optimized specifically for WordPress security. So, I’ve been slowly building and tweaking my own. As of today I have four rules …
Rule 1: Allow Good Bots | Rule 2: Block Potentially Malicious Requests | Rule 3: Block Bad Bots | Rule 4: JS Challenge
The first uses the Allow action to whitelist good bots and access to robots.txt and ads.txt. This rule is triggered every time a good bot visits, which is a *lot* – thousands of times a day on a moderately busy site.
This has to be the first rule as anything ‘allowed’ here will be exempted from my subsequent rules. So, my later rules can be aggressive in blocking bad bots without accidentally blocking Google or some other good bot.
I prefer to block a few research bots that CF includes in its ‘good bot’ list. Most obey robots.txt so I can block them there, but Proximic, Grapeshot, and oBot (from filterdb.iss.net) are nefarious exceptions. I have to leave them out of the Allow action and explicitly block them later.
(http.request.uri.path contains "/robots.txt") or
(http.request.uri.path contains "/ads.txt") or
(cf.client.bot and not
http.user_agent contains "Proximic" and not
http.user_agent contains "proximic" and not
http.user_agent contains "Grapeshot" and not
http.user_agent contains "grapeshot" and not
http.user_agent contains "filterdb.iss.net")
Then: Allow
