In addition to my crazy long Cloudflare firewall “block” rule, I use a JavaScript challenge rule for pages that I want to restrict to human users, keeping out bots.
According to Cloudflare: “During a JavaScript challenge you will be shown an interstitial page for about five seconds while Cloudflare performs a series of mathematical challenges to make sure it is a legitimate human visitor.”
I have no use for bots on pages where they might cause mischief, such as my contact form page or my hidden login page. I don’t use /login but I don’t want bots hammering it. I also don’t want bots on my search page – unless it is a Cloudflare-listed ‘good bot’ or a google partner looking to serve an ad for me. On the other hand, I don’t want to inconvenience my users with a five-second interstitial page before they are allowed to search.
So, my JavaScript challenge rule:
(http.request.uri.path contains "/contact-kenny") or
(http.request.uri.path contains "/my-obfuscated-login-page") or
(http.request.uri.path contains "/login") or
(http.request.full_uri contains "/?s=" and not
http.referer contains "wppov.com"and not
http.user_agent contains "Mediapartners-Google" and not
cf.client.bot)
Then JS Challenge
