Crazy long, but free – CloudFlare firewall rule

On CloudFlare’s free tier I am allowed five firewall rules. This is very generous of CloudFlare, considering the free part. But it turns out to be much more generous than it first appears.

crazy long but free

Each rule can include numerous sub-rules with, as far as I can tell, no limitation (see update). So, I can cram in as many sub-rules as I want, provided that that final action is the same. And, there are only four available final actions – Block, Captcha, JS Challenge, or Allow. With only four final actions, five firewall rules gives me one more rule than I could ever possibly need. But my rules can get crazy long as I cram in more and more sub-rules.

Say I want to block access to …

1. Malicious login attempts
(http.request.uri.path contains "/wp-login.php") or

and 2. DOS and other mischief
(http.request.uri.path contains "/xmlrpc.php") or

and 3. User enumeration
(http.request.full_uri contains "?author") or

and 4. WordPress installation files
(http.request.uri.path contains "/install.php") or
(http.request.uri.path contains "/setup-config.php") or

and 5. The keys to the castle
(http.request.uri.path contains "/wp-config.php") or

and 6. htaccess
(http.request.uri.path contains "/.htaccess") or

and 7. Benign files, but none of your business
(http.request.uri.path contains "/readme.html") or
(http.request.uri.path contains "/license.txt") or
(http.request.uri.path contains "/readme.txt") or

and 8. Duplicator site migration files
(http.request.uri.path contains "/installer.php") or
http.request.uri.path contains "/installer-log.txt") or
(http.request.uri.path contains "/installer-data.sql") or
(http.request.uri.path contains "/database.sql") or

and 9. Direct access to cPanel and WHM
(http.request.uri.path contains "/cpanel") or
(http.request.uri.path contains "/whm") or
(http.request.full_uri contains ":2082") or
(http.request.full_uri contains ":2083") or
(http.request.full_uri contains ":2086") or
(http.request.full_uri contains ":2087") or

and 10. /wp-content/uploads/*.php (potential hacker uploads)
(http.request.uri.path contains "/wp-content" and
http.request.uri.path contains "/uploads" and
http.request.uri.path contains ".php") or

and 11. Malicious request methods
(http.request.method in {"CONNECT" "DEBUG" "DELETE" "MOVE" "PUT" "TRACE" "TRACK"}) or

and 12. /wp-admin (as much as practical)
(ip.geoip.country ne "US" and
http.request.uri.path contains "/wp-admin" and not
http.request.uri.path contains "/admin-ajax.php") or

and 13. Common DOS targets according to the Protection Against DDoS plugin (seems dubious but what the heck)
(http.request.uri.path contains "/autodiscover.xml") or
(http.request.uri.path contains "/wpad.dat") or

and 14. Certain bad bots
(http.user_agent contains "DotBot" and not http.request.uri.path contains "robots.txt") or
(http.user_agent contains "BUbiNG" and not http.request.uri.path contains "robots.txt") or
(http.user_agent contains "Genieo" and not http.request.uri.path contains "robots.txt") or
(http.user_agent contains "PaperLiBot" and not http.request.uri.path contains "robots.txt") or

and 15. Blank user agent
(http.user_agent eq "")

The entire crazy long, but free and useful CloudFlare firewall rule looks something like this …

(http.request.uri.path contains "/wp-login.php") or
(http.request.uri.path contains "/xmlrpc.php") or
(http.request.full_uri contains "?author") or
(http.request.uri.path contains "/install.php") or
(http.request.uri.path contains "/setup-config.php") or
(http.request.uri.path contains "/wp-config.php") or
(http.request.uri.path contains "/.htaccess") or
(http.request.uri.path contains "/readme.html") or
(http.request.uri.path contains "/license.txt") or
(http.request.uri.path contains "/readme.txt") or
(http.request.uri.path contains "/installer.php") or
http.request.uri.path contains "/installer-log.txt") or
(http.request.uri.path contains "/installer-data.sql") or
(http.request.uri.path contains "/database.sql") or
(http.request.uri.path contains "/cpanel") or
(http.request.uri.path contains "/whm") or
(http.request.full_uri contains ":2082") or
(http.request.full_uri contains ":2083") or
(http.request.full_uri contains ":2086") or
(http.request.full_uri contains ":2087") or
(http.request.uri.path contains "/wp-content" and
http.request.uri.path contains "/uploads" and
http.request.uri.path contains ".php") or
(http.request.method in {"CONNECT" "DEBUG" "DELETE" "MOVE" "PUT" "TRACE" "TRACK"}) or
(ip.geoip.country ne "US" and http.request.uri.path contains "/wp-admin" and not http.request.uri.path contains "/admin-ajax.php") or
(http.request.uri.path contains "/autodiscover.xml") or
(http.request.uri.path contains "/wpad.dat") or
(http.user_agent contains "DotBot" and not http.request.uri.path contains "robots.txt") or
(http.user_agent contains "BUbiNG" and not http.request.uri.path contains "robots.txt") or
(http.user_agent contains "Genieo" and not http.request.uri.path contains "robots.txt") or
(http.user_agent contains "PaperLiBot" and not http.request.uri.path contains "robots.txt") or
(http.user_agent eq "")

Then Block

About 30 sub-rules so far. I’m sure it will continue to grow. I also use a JavaScript Challenge rule, and I still have three firewall rules left over.

Almost all of this I could – and do – also block in htaccess. But using CF moves the processing load – which could be considerable in case of a large attack – off of my server, and keeps these threats from every getting to my server or site. htaccess just serves as a backup.

Update: It turns out there is a limit. I tried posting a super-long bad bots rule set, CloudFlare politely let me know that the expression may not exceed 4 kb. Good to know. For reference, the crazy long rule set above is just under 2 kb.

WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.