Allowing only CloudFlare traffic

No piratesIn other posts I give my point of view on the security advantages of using CloudFlare. But what’s to stop a bad guy, gal, or bot from accessing my site directly by IP address? I can try to keep my IP address secret, but a determined hacker will find it without too much trouble. He or she or his/her robot minions could then avoid CloudFlare security by attacking my site directly – unless I take explicit measures by allowing only CloudFlare traffic.

CloudFlare advises using directives in my htaccess file to allow traffic only from CloudFlare IPs. Problem is – that doesn’t work for me. My server is configured to see each visitor’s origin IP, not the CF IP, so that my visitor analytics make sense. I googled my fingers blue and could not find a solution.

In desperation – because I am a stereotypical guy who hates asking for directions – I asked for directions. A kind and knowledgeable person using the moniker sdayman came immediately to my rescue. It turns out he is a very prolific good Samaritan in the CloudFlare community.

Sdayman’s solution is elegant – three lines of code – and in my experience it works great:

RewriteEngine On
RewriteCond %{HTTP:CF-IPCountry} ^$
RewriteRule ^ - [F,L]

It checks to see if the CloudFlare IP Country header is present. If not, it serves a 403 error. Traffic bypassing CloudFlare will not have the header.

One small gotcha – I have to make sure I turn on the CloudFlare IP Geolocation feature. Easy-breezy. It’s on the Network screen.

Allowing only CloudFlare traffic

htaccess tricks

htaccess tricks improve WP securityAlong with the excellent 6G firewall from Jeff Starr at Perishable Press, certain htaccess tricks improve WP security. Examples …

  • Block directory browsing:
    Options -Indexes
  • Restrict access to wp-config.php:
    <files wp-config.php>
    order allow,deny
    deny from all
  • Restrict access to .htaccess:
    <Files .htaccess>
    order allow,deny
    deny from all
  • Restrict access to install.php:
    <Files install.php>
    order allow,deny
    deny from all
    < /Files>

Perishable press offers many more stupid htaccess tricks.

6G Firewall

There are a number of comprehensive security solutions available for WP, notably including the very popular Wordfence Security plugin. I have a Wordfence quibble, which I whine about in another post, but to the best of my knowledge, Wordfence is an excellent choice for most WP users. My preference though is for light, fast, specific solutions as opposed to a single, relatively heavy, Swiss-army-knife style tool.

One such light, fast, specific solution is the 6G Firewall from Perishable Press.  The 6G Firewall runs in htaccess, at the server level for optimum speed and minimum resource use. It blocks threats before they even reach my WordPress installation. 6G Firewall runs in htaccessJeff Starr, the developer of the nG Firewall series, says it best:

This version of the nG Firewall is greatly refined, heavily tested, and better than ever. Fine-tuned to minimize false positives, the 6G Firewall protects your site against a wide variety of malicious URI requests, bad bots, spam referrers, and other attacks. Blocking bad traffic improves site security, reduces server load, and conserves precious resources. The 6G Firewall is entirely plug-n-play with no configuration required. It’s also open source, easy to use, and completely free, providing strong protection for any Apache-powered website.

The 6G Firewall is a powerful, well-optimized blacklist that checks all URI requests against a set of carefully constructed .htaccess directives. This happens quietly behind the scenes at the server level, which is optimal for performance and resource conservation. Most WordPress plugins require both PHP and MySQL, which can be overkill and even wasteful depending on the scenario and your overall security strategy. Implementing an .htaccess solution such as the 6G Firewall, the code is executed without invoking the memory and resources required for PHP, MySQL, etc. That gives you better performance while saving server resources for legitimate traffic.

The 6G firewall is one of several carefully selected components -all free – that together provide a layered defense that I prefer over an all-in-one solution. Other components include CloudFlare page rules, the plugins Limit Login Attempts Reloaded and WPS Hide Login,  a custom security plugin, and miscellaneous configurations to CloudFlare, htaccess, wp-config.php, and php.ini.

For those unable to implement an htaccess solution – if running on an NGINX web server for example – Jeff offers the Block Bad Queries (BBQ) plugin.

403 Text String

If my site gets attacked, it could serve up a lot of 403-Forbidden error pages, which would use a lot of resources, slowing my site or even bringing it down. For 404-Not Found errors, I want to serve a friendly helpful page that fits in with the look and feel of my site. Legitimate visitors should rarely if ever encounter a 403-Forbidden error though, so I prefer to politely limit resource use to the extent practical.  My solution is a custom 403 text string, using the following line at the beginning of my .htaccess file:

ErrorDocument 403 "403: Sorry, not permitted."

A user who encounters a 403 error will see a simple text message in his or her browser, similar to the following image.

Custom 403 text string

Serving a simple text string requires far fewer resources in comparison to a php or html page.