February 17, 2021

Cloudflare Firewall Rules for Securing WordPress

Cloudflare has an amazing range of features and options and a lot of the features go unused or under leveraged. In this post we’ll share three Cloudflare that will both help improve the security or your WordPress site and at the same time also reduce the load on your site and help speed it up.

These are really easy to setup and if you’re moderately tech savvy will take you maybe 10-15 minutes. 

How to add Cloudflare WAF rules?

I use Cloudflare for all my WordPress websites - not just to make them faster, but more secure as well.

This guide is aimed at security-minded webmasters who run a WordPress site or blog on a Cloudflare-enabled domain.

By adding WordPress-specific rules I describe on this page, you can secure your site and block attacks before they even reach your web host's server.

Cloudflare WAF

Cloudflare WAF

Firewall rules can be added under the Firewall menu->Firewall Rules tab in Cloudflare. The free plan gives you up to 5 rules so these can be added at no cost.

Once you add a rule it takes effect almost immediately.

Block wp-login.php Attacks

The first firewall rule we will add will help protect the WordPress login page.

The typical WordPress site we see can get anywhere from 1000-10000 brute force logon attempts a day.

Hazgui WP

If you peek at your server logs, you'll probably find numerous IPs from all over the world trying to access your wp-login.php file. This is by far the most common attack on WordPress installations. These are usually automated scans which do not pose a big threat, but you can still block them off for your peace of mind.

This, of course, assumes that you (the admin) are the only user on your site. If you have multiple users or use a membership plugin, you'll probably want to skip this rule.

1- Give your rule a name, such as “Block wp-login.php Attacks”

In your Cloudflare dashboard, click Firewall once again, then press the blue Create a Firewall rule button. Name it whatever you like and enter the following:

  • Field: URI Path
  • Operator: contains
  • Value: /wp-login.php

    [Action: Challenge]

2- Check your firewall rule

If you did it right, you should see the following in the Expression Preview section.

(http.request.uri.path contains "/wp-login.php")

Save the rule, and it should be enabled automatically. Cloudflare will now Challenge every attempt to connect to wp-login.php

cloudflare wordpress

Block xmlrpc.php Attacks

After wp-login.php, xmlrpc.php is the second most common attack target. XML-RPC has legitimate uses, such as blogging from a smartphone or posting content to multiple WordPress sites at once. If you don't do that, then it can be safely blocked. Follow the same procedure as previously and create the rule:

  • Field: URI Path
  • Operator: contains
  • Value: /xmlrpc.php

    [Action: Block]

You should see the following in the Expression Preview section.

(http.request.uri.path contains "/xmlrpc.php")

Protect the wp-admin Area

Now let's make it so you and only you can access your admin area. This rule is slightly more complex because you need to make two exceptions.

First is /wp-admin/admin-ajax.php, which is used by certain plugins to display dynamic content on your website. As such, despite being located inside the /wp-admin/ folder, it needs to be accessible from the outside.

Second is /wp-admin/theme-editor.php, which runs an error check every time you edit your theme through the built-in editor by creating a loopback request to your homepage. If you don't add this exception, the check will fail with a message "Unable to communicate back with site to check for fatal errors" and your modifications won't be saved.

Go ahead and create the following rule:

  • Field: URI Path
  • Operator: contains
  • Value: /wp-admin/


  • Field: URI Path
  • Operator: does not contain
  • Value: /wp-admin/admin-ajax.php


  • Field: URI Path
  • Operator: does not contain
  • Value: /wp-admin/theme-editor.php

[Action: Block]

Or, just click Edit expression and paste in the following.

(http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")

Reduce Spam by Blocking Direct Requests to wp-comments-post.php

I'll be honest: the effect of this rule will be minimal as spam bots these days are sophisticated enough to spoof the referrer. This will only block bots hammering the wp-comments-post.php file directly. Still, the same tip is described in WordPress Codex (except they use a .htaccess rule rather than Cloudflare), so if it's good enough for them, it's good enough for me.

The rule is as follows:

  • Field: URI Path
  • Operator: equals
  • Value: /wp-comments-post.php


  • Field: Request Method
  • Operator: equals
  • POST


  • Field: Referer
  • Operator: does not contain
  • Value: yoursite.com (replace with your real domain)

[Action: Block]

And here's the expression to save you the time.

(http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "yoursite.com")

Further Reading

Should you run into issues or want to learn more, I suggest you visit Cloudflare’s knowledge base: https://developers.cloudflare.com/firewall/cf-firewall-rules/

Using the Cloudflare plugin with WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *


HAZGUI WP mission is to create custom websites and marketing plans for businesses of all varieties. Regardless of your size, you should have a website that speaks your ideas and helps you grow.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram