Cloudflare firewall rules
**** Cloudflare Firewall Rules
Objective
In this lesson, you’ll learn how to create, test, and optimize Cloudflare Firewall Rules to protect your WordPress VPS at the DNS and edge-network level.
By the end, you’ll know how to block bad bots, rate-limit attacks, restrict admin access by IP, and whitelist only trusted services — all without consuming your VPS resources.
1. What Is Cloudflare Firewall and Why Use It?
Cloudflare sits in front of your VPS, acting as a reverse proxy.
This means all traffic to your domain passes through Cloudflare first — giving you control over what gets forwarded to your actual server.
While tools like UFW and ModSecurity work inside your VPS, Cloudflare Firewall Rules stop threats before they reach your network.
Think of it as your first defense wall in front of everything else.
Security Layer Comparison
| Layer | Tool | Purpose |
|---|---|---|
| Edge (DNS-level) | Cloudflare Firewall Rules | Filters malicious traffic globally before reaching VPS. |
| Network | UFW | Controls ports and connections at the server level. |
| Application | ModSecurity | Protects WordPress from malicious HTTP requests. |
| Intrusion | Fail2Ban | Blocks repeated brute-force login attempts. |
2. Prerequisites
- A Cloudflare account (Free plan or higher)
- Your domain connected to Cloudflare (nameservers updated)
- Your VPS should only allow HTTP/HTTPS traffic from Cloudflare IPs (optional but recommended)
For OpenLiteSpeed + WordPress, this integration is seamless once your DNS points to Cloudflare.
3. Accessing the Cloudflare Firewall Dashboard
-
Log in to your Cloudflare dashboard: https://dash.cloudflare.com
-
Select your domain (e.g.,
example.com) -
In the left sidebar, go to
→ Security → WAF → Firewall Rules
Here you can create custom filtering logic using Cloudflare’s expression builder or simple toggles.
4. Create Your First Basic Rule
Goal: Allow normal visitors but block common attacks and access to admin areas.
Click “Create a Firewall Rule” → then use the following examples.
Rule 1: Protect /wp-login.php and /wp-admin/
Expression:
(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin")
Action: Challenge (Captcha) or Block
When to use:
- Use
Challengeif you want humans to pass CAPTCHA but block bots. - Use
Blockif you have a fixed IP for your admin access.
Alternative (Restrict by IP):
(http.request.uri.path contains "/wp-login.php") and (ip.src ne 203.0.113.5)
→ This allows only your IP to access wp-login.php.
Rule 2: Block Bad Bots and Spam Crawlers
Expression:
(cf.client.bot = false and lower(http.user_agent) contains "python")
or (lower(http.user_agent) contains "curl")
or (lower(http.user_agent) contains "wget")
Action: Block
Explanation:
This blocks automated bots that try to scrape or brute-force using Python, Curl, or Wget scripts.
Rule 3: Block XML-RPC Abuse
Expression:
(http.request.uri.path contains "/xmlrpc.php")
Action: Block
Why:
XML-RPC is rarely used in modern WordPress setups and often abused for DDoS amplification or brute-force.
Rule 4: Rate Limit Aggressive Access
Cloudflare has a native rate-limiting feature (even on Free plans via WAF rules).
Expression:
(http.request.uri.path contains "/wp-login.php")
Action: Rate Limit
Threshold: e.g., 10 requests per minute per IP
This stops brute-force bots from hammering your login page.
Rule 5: Restrict Direct Server Access (Bypass Cloudflare)
If someone discovers your server’s IP, they could try to bypass Cloudflare and reach your VPS directly.
Use this rule to block non-Cloudflare traffic at your server level.
In Cloudflare:
Create a Firewall rule to Allow only traffic from cf.client.ip matching Cloudflare IPs.
In your VPS (UFW):
# Allow only Cloudflare IPs
sudo ufw allow from 173.245.48.0/20
sudo ufw allow from 103.21.244.0/22
sudo ufw allow from 103.22.200.0/22
sudo ufw allow from 103.31.4.0/22
sudo ufw allow from 141.101.64.0/18
sudo ufw allow from 108.162.192.0/18
sudo ufw allow from 190.93.240.0/20
sudo ufw allow from 188.114.96.0/20
sudo ufw allow from 197.234.240.0/22
sudo ufw allow from 198.41.128.0/17
sudo ufw allow from 162.158.0.0/15
sudo ufw allow from 104.16.0.0/12
sudo ufw allow from 172.64.0.0/13
sudo ufw allow from 131.0.72.0/22
Then deny all other inbound HTTP/S to ensure requests only flow through Cloudflare.
5. Advanced Rules and Filters
| Use Case | Expression | Action |
|---|---|---|
| Block specific country | (ip.geoip.country eq "RU") | Block |
| Allow admin from Indonesia only | (ip.geoip.country eq "ID") and (http.request.uri.path contains "/wp-login.php") | Allow |
| Challenge all POST requests to admin | (http.request.uri.path contains "/wp-admin") and (http.request.method eq "POST") | Challenge |
| JS Challenge on fake browsers | (cf.client.bot = false and not http.user_agent) | JS Challenge |
| Block access to sensitive files | (http.request.uri.path contains ".env") or (http.request.uri.path contains "wp-config.php") | Block |
6. Order of Execution
Firewall Rules run top to bottom, and Cloudflare stops processing as soon as one rule matches.
That means your Allow rules should be above Block rules for specific IPs or admins.
Example Order:
- Allow your IP to
/wp-login.php - Block
/wp-login.phpfor everyone else - Block XML-RPC
- Block Bad Bots
- Rate Limit remaining requests
7. Monitoring and Logs
Firewall Events Log
- Navigate to Security → Events in Cloudflare Dashboard.
- Shows blocked, challenged, or rate-limited requests.
- You can filter by action, country, path, or IP.
Useful Columns:
| Field | Description |
|---|---|
| IP Address | The visitor’s source IP. |
| Action Taken | Allow / Block / Challenge. |
| Rule Name | Which rule triggered the block. |
| Path | The request path (e.g., /wp-login.php). |
8. Cloudflare + VPS Integration Checklist
| Layer | Tool | Purpose |
|---|---|---|
| Edge | Cloudflare Firewall | Global filtering (before reaching VPS). |
| Network | UFW | Local port-level access control. |
| Intrusion | Fail2Ban | Brute-force detection and IP bans. |
| Application | ModSecurity | Web-layer WAF inspection. |
Together, these layers give you defense-in-depth — even if one layer misses something, another catches it.
9. Quick Lab
| Task | Action | Expected Outcome |
|---|---|---|
| Block XML-RPC | Create a Firewall Rule for /xmlrpc.php | Requests blocked instantly |
| Protect login page | Challenge /wp-login.php | Bots stopped at CAPTCHA |
| Limit logins | Add Rate Limit rule | Login brute-force prevented |
| Allow only admin IP | Create IP-based allow rule | Admin area restricted |
| Test with cURL | curl -I https://yourdomain.com/wp-login.php | 403 or 1010 (blocked/challenged) |
10. Cheat Sheet
| Task | Where to Do | Description |
|---|---|---|
| Create firewall rule | Cloudflare Dashboard → Security → WAF | Add custom filtering logic. |
| Restrict login access | Rule for /wp-login.php | Block or allow by IP. |
| Block XML-RPC | Rule for /xmlrpc.php | Stops botnet attacks. |
| Rate limit | Security → WAF → Rate Limiting Rules | Throttles repeated requests. |
| Block country | Expression (ip.geoip.country eq "XX") | Geo-blocking. |
| View logs | Security → Events | Inspect blocked threats. |
| Combine with UFW | sudo ufw allow from Cloudflare IP ranges | Restrict to Cloudflare-only traffic. |
Summary
- Cloudflare Firewall Rules protect your WordPress site before it reaches your VPS — saving CPU, bandwidth, and time.
- Use targeted rules for login, XML-RPC, and admin areas.
- Combine CAPTCHA, Rate Limit, and IP filtering for layered protection.
- Keep Allow rules first, Block rules last to avoid false positives.
- Works perfectly alongside UFW, Fail2Ban, and ModSecurity for complete 360° VPS security.
Would you like me to continue next with ClamAV (antivirus scanning for VPS and WordPress files) — or move to Imunify360 (malware detection and web shell protection) as the next module in your hardening series?