• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
NameHero Blog

NameHero Blog

Web Hosting Tips & Resources From NameHero

  • Hosting
    • Web Hosting
    • VPS Hosting
    • WordPress Hosting
    • WooCommerce Hosting
  • Reseller
  • Enterprise
  • Domains
  • Account
  • Blog Home
  • Categories

How To Fine Tune The Cloudflare Firewall

Bhagwad Park

Published on: December 28, 2020

Categories: Website Performance 0

In an earlier article, I’d written about using Cloudflare and subscribing to the “Pro” plan. Of the many benefits, one of them is the extensive WAF that you can just “set and forget”. It blocks a wide range of threats at no additional impact to your site since the requests are handled on the edge and not your origin server. However, you’ll need to tweak some of the rules or add some new ones for your specific needs.

Adding Optional Cloudflare Rules

The Cloudflare WAF has a large set of predefined rules that operate as a firewall for your site. These rules are categorized into sections that you can enable and disable based on the kind of site you have. For example, if you use WHM and cPanel, you can enable the WHMCS rule set. If you use WordPress, then you should enable the WordPress ruleset. Needless to say, you shouldn’t add rulesets that are irrelevant to your site. For example, if you don’t use Joomla, you should leave the Joomla ruleset disabled.

Each of these sections can be configured and individual rules within them can be enabled and disabled. For example, I was looking at my cache logs one day and noticed a large number of uncached requests hitting the homepage for no good reason. When I downloaded the access files, I saw this:

Access File on my Site WP-Tweaks.com
Access File on my Site WP-Tweaks.com

Some IP address was consistently hitting my site and getting repeated 403 errors. No username, no referrer, nothing. I was surprised that Cloudflare was letting this go through in the first place. Each of these requests wastes time on my server and forces it to do some work, thereby depriving legitimate traffic of some resources.

So I did a bit of digging, and apparently, there’s an optional rule in the WAF ruleset called “Cloudflare Specials” that blocks users that provide no user agent name. Here’s a screenshot:

Cloudflare User Agent Missing Rule
Cloudflare User Agent Missing Rule

As you can see above, I went and set this rule to “block”. Since then, I’ve rechecked my logs, and seen lots of traffic blocked by this rule. So it’s a good thing I enabled it!

You can repeat this process by looking at all the individual rules whose “Default” mode is set to “Disable” and see if they’re worth enabling in your particular scenario.

Adding Specific Firewall Rules Yourself – Example: JSON Enumeration

One of the things that annoys me about WordPress, is that it allows 3rd parties to get information about your site in a programmatic manner. One example is JSON requests. For example, anyone can just append the following to a WordPress website’s URL:

wp-json/wp/v2/users

And get a ready-made list of users on the site. Now WordPress claims that this information is public, and that it’s not part of the security framework, and that it doesn’t matter if the usernames are programmatically listed like this. But those of us who look through our logs know that sites are constantly bombarded with these requests. They use up resources, and many of us are simply not comfortable having 3rd parties accessing our sites programmatically.

So I created a firewall rule like this:

Cloudflare Firewall Rule to Block JSON Username Enumeration
Cloudflare Firewall Rule to Block JSON Username Enumeration

Unfortunately, the new Gutenberg editor requires this endpoint for saving posts. So I have to disable this rule before I make any changes to a post and then re-enable it afterward. It’s inconvenient, but I haven’t found a better solution yet. I want this to be handled by Cloudflare, not my site. Here’s a screenshot of my firewall rules for my site WP-Tweaks.com in Cloudflare blocking both XMLRPC, as well as username enumeration:

Firewall Rules in Action
Firewall Rules in Action

Over time, your firewall rules will evolve to uniquely represent the threat profile of your site. But Cloudflare’s WAF is a good starting point, from which you can make your own customizations.

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Follow & Subscribe

Exclusive promos, content and more!

Most Popular Posts

Speed up your site: solving the WordPress slowdown

NameHero’s Recommended WordPress Plugin and Theme Setup (2023)

How To Increase The InnoDB Buffer Pool Size

How To Fix A Stuck All-in-One WP Migration Import

How To Add A Subdomain In Cloudflare

Top Categories

  • WordPress
  • Website Performance
  • Web Hosting
  • Resellers
  • Website Security
  • Website Development
  • VPS Hosting
  • SEO Tips
  • Announcements
  • Domain Registration
NameHero

NameHero proudly provides web hosting to over 40,000 customers with 99.9% uptime to over 750,000 websites.

  • Master Card
  • Visa
  • American Express
  • Discover
  • Paypal
Products
  • Web Hosting
  • VPS Hosting
  • WordPress Hosting
  • WooCommerce Hosting
  • Reseller Hosting
  • Enterprise Hosting
  • Domains
Help & Support
  • NameHero Blog
  • Knowledgebase
  • Announcements
  • Affiliates
Company
  • About Us
  • Contact Sales
  • Reviews
  • Uptime
  • We're Hiring

Copyright © 2023 NameHero, LLC. All rights reserved.

  • Privacy Policy
  • Terms of Use
  • Acceptable Use Policy
  • Payment Policy
  • DMCA