In an earlier article, I’d written about using Cloudflare and subscribing to the “Pro” plan. Of the many benefits, one of them is the extensive WAF that you can just “set and forget”. It blocks a wide range of threats at no additional impact to your site since the requests are handled on the edge and not your origin server. However, you’ll need to tweak some of the rules or add some new ones for your specific needs.
Adding Optional Cloudflare Rules
The Cloudflare WAF has a large set of predefined rules that operate as a firewall for your site. These rules are categorized into sections that you can enable and disable based on the kind of site you have. For example, if you use WHM and cPanel, you can enable the WHMCS rule set. If you use WordPress, then you should enable the WordPress ruleset. Needless to say, you shouldn’t add rulesets that are irrelevant to your site. For example, if you don’t use Joomla, you should leave the Joomla ruleset disabled.
Each of these sections can be configured and individual rules within them can be enabled and disabled. For example, I was looking at my cache logs one day and noticed a large number of uncached requests hitting the homepage for no good reason. When I downloaded the access files, I saw this:
Some IP address was consistently hitting my site and getting repeated 403 errors. No username, no referrer, nothing. I was surprised that Cloudflare was letting this go through in the first place. Each of these requests wastes time on my server and forces it to do some work, thereby depriving legitimate traffic of some resources.
So I did a bit of digging, and apparently, there’s an optional rule in the WAF ruleset called “Cloudflare Specials” that blocks users that provide no user agent name. Here’s a screenshot:
As you can see above, I went and set this rule to “block”. Since then, I’ve rechecked my logs, and seen lots of traffic blocked by this rule. So it’s a good thing I enabled it!
You can repeat this process by looking at all the individual rules whose “Default” mode is set to “Disable” and see if they’re worth enabling in your particular scenario.
Adding Specific Firewall Rules Yourself – Example: JSON Enumeration
One of the things that annoys me about WordPress, is that it allows 3rd parties to get information about your site in a programmatic manner. One example is JSON requests. For example, anyone can just append the following to a WordPress website’s URL:
wp-json/wp/v2/users
And get a ready-made list of users on the site. Now WordPress claims that this information is public, and that it’s not part of the security framework, and that it doesn’t matter if the usernames are programmatically listed like this. But those of us who look through our logs know that sites are constantly bombarded with these requests. They use up resources, and many of us are simply not comfortable having 3rd parties accessing our sites programmatically.
So I created a firewall rule like this:
Unfortunately, the new Gutenberg editor requires this endpoint for saving posts. So I have to disable this rule before I make any changes to a post and then re-enable it afterward. It’s inconvenient, but I haven’t found a better solution yet. I want this to be handled by Cloudflare, not my site. Here’s a screenshot of my firewall rules for my site WP-Tweaks.com in Cloudflare blocking both XMLRPC, as well as username enumeration:
Over time, your firewall rules will evolve to uniquely represent the threat profile of your site. But Cloudflare’s WAF is a good starting point, from which you can make your own customizations.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply