For more than ten years,CloudflareThe team has provided security services to website builders worldwide and currently helps thousands of businesses maintain and protect their online resources.
Since its inception, Cloudflare has released many powerful firewall tools, such as IP Rules, CIDR Rules, ASN Rules, Country Rules, and HTTP User Agent Blocking, to name a few, and Cloudflare Firewall Rules is a recent addition. These rules combine the way firewall tools are used and give users more flexibility and control over how their firewall works.
In this article, you'll learn everything you need to know about firewalls, how to get started implementing and editing Cloudflare firewall rules on your site, and why security is so important.
What are the Cloudflare firewall rules?
Cloudflare firewall rules are a flexible and intuitive framework that website owners can use to filter HTTP requests – giving you full control over the requests that can reach your application.
Firewall rules integrate well with existing Cloudflare tools, allowing you to combine multiple techniques into a cohesive set of rules. For example, you can create a rule to block traffic from users that match a certain pattern, instead of having to use three or four different rules in as many places to achieve the same result.
They also give you the benefit of constantly monitoring website traffic and responding to threats accordingly. You can define expressions that tell Cloudflare what to do or not to do and what actions to take when those specific requests are fulfilled.
Why are firewalls necessary for your website?
Cloudflare is mainly used to reduce website loading speed and protect your website from online threats. It also fights spammers, malware injections and DDoS attacks.
About 70% of WordPress installationsare prone to hackers, making it more necessary to use a firewall from Cloudflare to protect your site from unwanted threats. Some of the reasons why firewalls are needed for your website are:
- With the introduction of HTTP/3, Cloudflare supports multiple page elements in parallel over a single TCP connection, along with push technology and header compression.
- Cloudflare WAF protects your website from many vulnerabilities that popular CMS tools (WordPress, Joomla, etc.) are prone to. Cloudflare WAF has more than 145 rules to protect your website from all types of web application attacks.
- Cloudflare has a rate limiting feature that helps mitigate DOS attacks, brute force login attempts, and other malicious intent targeting the application layer. The speed limiting feature allows you to configure limits, set responses and get information about web pages.
As you can see, Cloudflare not only improves SEO by speeding up your website, but also offers a wide range of advanced security features to protect your website from attacks.
Cloudflare Firewall Rules - Mapping and Actions
Cloudflare firewall rules consist of two main functions:Matching, which allows you to set a filter that exactly matches your traffic andActions, through which you specify the action Cloudflare will take after you set the appropriate filter.
Mapping allows you to filter incoming traffic to your site. If you e.g. want to restrict certain countries, redirect visitors to a site-specific page, or filter certain IP addresses, you will use match rules to do so.
Among the main features presented by Cloudflare areknown robotsfield (cf. client.bot). Gives you a Cloudflare approved list of good bots obtained from a reverse DNS lookup. You will find a comprehensive list of bots approved by sites like Google, Yahoo, Bing, Linkedin, Apple and more.
Note:Since the "allow input" feature has been removed, it is recommended to include cf.client.bot inAllowedThe rule. This will prevent Cloudflare's firewall rules from inadvertently blocking good crawlers.
In addition, Cloudflare firewall rules also come with an algorithm that providesthreat resultIPs by measuring their online reputation. The threat rating goes from 0 to 100 and is divided into the following categories:
- High – for scores from 0 to 13.
- Medium – for results from 14 to 23.
- Low – for results from 24 to 48.
- Mainly turned off – for scores above 49.
But simply establishing matching rules won't accomplish much. This is where the actions come in.
- Block: Used to block traffic from accessing your web application.
- Challenge (Captcha): used to set aCaptchachallenge of blocking potential bots.
- Allow: Used to grant visitors access to your web application.
Three examples of Cloudflare firewall rules in action
In this section, you will find three ways to configure Cloudflare firewall rules using the dashboard and why it can be useful.
We will cover:
- How to block certain countries from visiting your site
- How to make your WordPress site more secure with captcha
- How to prevent bad bot traffic from entering your site
To get started, log in to the Cloudflare dashboard. From there, select the domain name for which you want to set Cloudflare firewall rules.
Then click onVatrozidfrom the upper parts onwardsPravila vatrozida.
This section allows you to set a new firewall rule, view and filter existing rules, enable, disable, modify and delete rules. To try the examples below, clickCreate a firewall rule.
Example 1 – Blocking all countries except the US
To exclude all countries except one (in our example it will be the US), follow these steps:
- First, give your rule a name.
- FromMarkdrop-down menu, selectThe earth.
- Then offOperatordrop-down menu, selectis not equal.
- uvaluedrop-down menu, select itUnited States.
- Finally chooseIn actiondrop-down menu, selectBLOCK,and then click the blue oneDevelopbutton in the lower right corner.
Conversely, if you want to exclude an individual country, select iton the equivalentfromOperatordrop-down menu, and then follow the procedure above.
(ip.geoip.country not "USA")
Example 2 – WordPress security
WordPress security is an important thing that website owners don't think too much about. Weekday,Google blacklistsaround 10,000+ sites for malware and around 50,000+ pages each week for phishing. It is important to protect your WordPress site from malware and threats and avoid site bans.
Why is WordPress Security Important?
Whether your site is large or small,hackers don't care. One way or another, they can find different ways to use the information against you. They usually ask for your personal and financial information and then use the collected information to try to harm you and your business.
Mark Ronso, Director of Marketing atReviews by top authors, he said, "a compromised website can seriously damage a company's reputation. Hackers typically install malware or viruses to extract data in the background, which can result in a loss of trust in your company and customers switching to a competitor."
Therefore, to keep your business safe and secure, protect your website with WordPress plugins or Cloudflare firewall. So which is better and what is the difference between the two?
WordPress Plugins vs Cloudflare Firewall – Which is Better?
Many people choose to install free plugins to manage their website security rather than having to use a third-party tool like Cloudflare – usually because it's too complicated or to save money. In fact, Cloudflare doesn't take long to install and gives you much more functionality than any other WordPress plugin.
Here are the key differences you should know:
- Cloudflare Firewall integrates seamlessly with CDNs like WordPress
- Cloudflare's Automatic Platform Optimization (APO) caches your site and optimizes components, increasing your site's speed.
- Cloudflare firewall offers free SSL certificate and DNS service along with strong DDoS protection.
- It increases the speed and performance of your website by dynamically rewriting insecure URLs to their secure copies.
- Free to start
WordPress Security Plugins:
- It regularly scans your website for malicious code and has a real-time firewall feature that protects your website from known and unknown threats.
- Many free plugins do not offer features like IP blocking, country blocking, and brute force connection protection.
- Some WordPress plugins allow you to rename the login portal to avoid possible attacks.
- You never know what permissions you give the plugin developer.
All things considered, most WordPress plugins don't speed up your site or offer as many advanced features as Cloudflare's firewall. Cloudflare firewall is recommended through free security plugins to protect your site from any attacks.
How to protect your WordPress site with Cloudflare's firewall
Repeat the process above to create a new firewall rule and name it, but this time clickEdit the expression.
This way you have direct accessExpression editor. Insert the following into the field:
((http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp- admin/", not http.request.uri.path contains "/wp-admin/admin-ajax.php", not http.request.uri.path contains " /wp-admin/theme-editor.php")) and ip.geoip.country not "USA"
Then selectChallenge (Captcha)fromChoose an actiondrop-down menu, and then clickDevelop.
You have now created a Captcha challenge for all non-US visitors trying to access WordPress xmlrpc.php, wp-login.php and /wp-admin (except admin-ajax.php and theme-editor.php) , to block potential hackers from accessing your WordPress site.
If the login or admin URLs have changed, you can edit the original expression to match.
Example 3 – Blocking bad bot traffic
Bad bots have been assigned to carry out a variety of fraudulent practices and malicious activities such as ad fraud, malware attacks and data theft. Eye40% of internet trafficconsists of bad bot traffic, and during the pandemic there was one788% increase in bad bot trafficat retail locations worldwide between September and October 2020, resulting in a loss of $82 million during the peak period.
Blocking bad traffic helps prevent attackers from trying to launch a DDoS attack on your site. Most DDoS attacks slow down your website by directing a large amount of traffic to your website, overloading the server and taking it offline.
The procedure is similar to the previous example. The only difference is that you have to chooseblockfromChoose an actiondrop-down menu and paste the following into the expression editor:
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or (http.user_agent contains "crawl", not cf.client.bot) or (http.user_agent contains "Crawl", and not cf .client.bot) or (http.user_agent does not contain "bot" http.user_agent does not contain "bingbot" http.user_agent does not contain "Google" http.user_agent does not contain "Twitter" cf client.bot) or (http. user_agent contains "Bot" not http.user_agent contains "Google" not cf.client.bot) or (http.user_agent contains "Spider" not cf. .client.bot ) or (http.user_agent contains "spider" " "not cf .client.bot)
This rule will block bot traffic with user agents containing the strings "crawl", "bot", "spider" and some other custom user agents.
You can rewrite the same rule using nested parentheses as follows:
(http.user_agent contains "Yandex") or (http.user_agent contains "muckrack") or (http.user_agent contains "Qwantify") or (http.user_agent contains "Sogou") or (http.user_agent contains "BUbiNG") or (http.user_agent contains "knowledge") or (http.user_agent contains "CFNetwork") or (http.user_agent contains "Scrapy") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "AhrefsBot") or (http.user_agent contains "Baiduspider") or (http.user_agent contains "python-requests") or ((http.user_agent contains "crawl") or (http.user_agent contains "Crawl") or (http.user_agent contains "bot " " and not http.user_agent contains "bingbot" and not http.user_agent contains "Google" and not http.user_agent contains "Twitter") or (http.user_agent contains "Bot" and not http .user_agent contains "Google ") or ( http.user_agent contains "Spider") or (http.user_agent contains "spider"), not cf.client.bot)
How to check if your firewall rules are working
After you finish the setup, you should check if Cloudflare's firewall rules are working. To do this, you can gain accessDnevnik activitere vatrozidawith return toreviewpart of the firewall. There you can see a list of firewall events and details related to them.
Note that checking firewall rules may take some time if you do not have a lot of traffic. If this is the case, wait a few days and monitor Google Analytics to make sure there are no anomalies before returning to Cloudflare and checking the activity log.
The most important thing to be aware of ischallengeIblockevents.
whenchallengeIblockevents appear in the list, take a moment to read them and see if any good bots were blocked when they shouldn't have been, or if any known bad bots got through. You must ensure that no positive traffic is denied access to your site due to an error while setting up firewall rules.
Summary – Use Cloudflare firewall rules to your advantage
RunCloud allows you to easily manage your server and web application and integrates seamlessly with Cloudflare. We hope you found this guide useful for setting up and effectively applying Cloudflare firewall rules to improve the security and performance of your web application.
Get started with RunCloud today.
What firewall rules are you currently enforcing through Cloudflare? Let us know and join the conversation in the comments below! 💬
Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security. In the navigation pane, click Inbound Rules. Click Action, and then click New rule. On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.How do I secure my website with Cloudflare? ›
- Log in to Cloudflare or create a new account.
- Click “+ Add Site” to add your website.
- In the resulting screen, enter your domain name and click “Add site” to continue the process.
- Select the plan that better suits your needs and click “Confirm plan”.
Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security. In the navigation pane, click Inbound Rules. Click Action, and then click New rule. On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.How to implement Cloudflare WAF? ›
Log in to the Cloudflare dashboard Open external link and select your account. Go to Account Home > WAF > Custom rulesets. Next to Deployed custom rulesets, select Deploy custom ruleset. Select the custom ruleset to deploy.How do I use Cloudflare firewall? ›
Log in to the Cloudflare dashboard Open external link , and select your account and website. Go to Security > WAF > Firewall rules. Select Create a firewall rule. In the Create firewall rule page that displays, use the Rule name input to supply a descriptive name.How do I stop Cloudflare from blocking my website? ›
Clear your browser cache and cookies. Disable any VPN, proxy, or browser extensions that may be affecting your connection. Restart your modem or router to get a new IP address if you have a dynamic IP. If you continue to experience issues, contact the website owner or Cloudflare support to request assistance.How do I know if my website is protected by Cloudflare? ›
By scanning a website you are agreeing to our usage policy. Some websites use asset domains (e.g. https://static.domain.com/image.jpg) that use Cloudflare instead of their primary domain, so you may need to check these as well. You can enter full file URLs to check if a particular file is served by Cloudflare.What is the firewall rule limit for Cloudflare? ›
Each Cloudflare account can have a maximum of 50,000 rules. If you are an Enterprise customer and need more rules, contact your account team.How should firewall rules be configured? ›
- Use Monitor Mode To Watch Current Traffic. Monitor current traffic for which IP addresses and ports are used — and validate that they are needed; not everything requires internet access. ...
- Create Deny Any/Any Rules. ...
- Be Specific and Purposeful With Rules. ...
- Protect The Perimeter.
- Click the Start button.
- Click Settings.
- Click Update & Security.
- Click Windows Security.
- Click Firewall & Network Protection.
- Select your profile.
- Scroll to Microsoft Defender Firewall.
- Switch the settings to off.
While traditional firewalls help protect private networks from malicious web applications, WAFs help protect web applications from malicious users. A WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.Does Cloudflare have a WAF? ›
The Cloudflare web application firewall (WAF) is the cornerstone of our advanced application security portfolio that keeps applications secure and productive.What does Cloudflare WAF protect against? ›
This WAF also defends APIs and mobile backends. Cloudflare. Cloudflare protects against critical web application attacks such as SQL injections, cross-scripting and zero-day attacks. Because it's a cloud-based WAF, it doesn't require any hardware or software installation for deployment.What is the Cloudflare firewall rules plan? ›
Cloudflare Firewall Rules is a flexible and intuitive framework for filtering HTTP requests. It gives you fine-grained control over which requests reach your applications, proactively inspecting incoming site traffic and automatically responding to threats.Is Cloudflare firewall free? ›
Cloudflare Free Managed Ruleset
The Free Cloudflare WAF comes with a managed ruleset that is designed to block a multitude of common vulnerability attacks.
Cloudflare can block your IP address if it deems it dangerous or spammy, leaving you locked out. The problem typically lies in Cloudflare being over-protective and blocking IP addresses that do not pose any threat. But it can also be a browser issue.How do I stop Cloudflare from checking my browser? ›
Turn off Browser Integrity Check in your Security settings (settings->CloudFlare Settings->Security Settings). thank you very much!How to bypass Cloudflare page rule? ›
To prevent Cloudflare from caching specific URLs, create a page rule with Cache Level set to Bypass. Next, drag that rule above the Cache Everything Page Rule in the dashboard so that the Bypass rule is above the Cache Everything.How do I enable Cloudflare protection? ›
Log in to the Cloudflare dashboard Open external link , and select your account and website. Go to Security > DDoS. Next to HTTP DDoS attack protection, select Deploy a DDoS override.Does Cloudflare hide your real IP? ›
Cloudflare secures your cloud server by proxying all requests to your DNS records through its Anycast network to hide your public server IP address. This protects the server from direct attacks as all requests go through by the masked Cloudflare IP Address instead of your actual public server IP.
When your DNS records are proxied, Cloudflare speeds up and protects your site. A dig query against your proxied root domain returns a Cloudflare IP address. This way, your origin server's IP address remains concealed from the public.What rule sets can be turned on in Cloudflare firewall? ›
- Set the action to perform. ...
- Override the action performed by individual rules or rules with specific tags. ...
- Disable specific rules or rules with specific tags.
- Customize the filter expression. ...
- Configure payload logging.
Log in to the Cloudflare dashboard, and select your account and domain. Navigate to Security > WAF > Tools. Under IP Access Rules, enter the following details: For Value, enter an IP address, IP range, country code/name, or Autonomous System Number (ASN).How much of the Internet does Cloudflare protect? ›
Defend (DDoS) attack
Cloudflare protects websites, applications, and entire networks from DDoS attacks, blocking over 57 billion assaults per day.
- Block by default. Block all traffic by default and explicitly enable only specific traffic to known services. ...
- Allow specific traffic. ...
- Specify source IP addresses. ...
- Specify the destination IP address. ...
- Specify the destination port. ...
- Examples of dangerous configurations.
- Source IP address(es)
- Destination IP address(es)
- Destination port(s)
- Protocol (TCP, ICMP, or UDP, etc.)
- Type cmd in the search bar.
- Right-click on the Command Prompt and select Run as Administrator.
- In the command prompt, type the following command and hit enter. netsh firewall show state.
- This will display all the blocked and active port configured in the firewall.
- Method 1: Use a proxy.
- Method 2: Use the Google cache.
- Method 3: Try a URL shortener.
- Method 4: Try the IP address.
- Method 5: Unblock websites in Chrome and Safari.
- Method 6: Switch between HTTP and HTTPS.
- Method 7: Use Tor Browser.
- Method 8: Use a VPN.
Why do websites get blocked? Websites get blocked when they detect an IP address that isn't supposed to access the restricted content. Your IP (Internet Protocol) address identifies your device on the internet and reveals your physical location. That's what lets websites find your IP and block (or allow) your device.What is the difference between Cloudflare and VPN? ›
Unlike traditional VPN services, Cloudflare uses its massive network of servers across the globe to give you the fastest experience possible, even if your connection is slow. Usually, your connection speed takes a hit when you use a VPN; it is the opposite with Cloudflare WARP.
Choosing an Application or Network Firewall
So without an application firewall, businesses could leave their broader network open to attack through web application vulnerabilities. However, a WAF cannot protect from attacks at the network layer, so it should supplement a network firewall rather than replace it.
Ideally, you'll deploy a WAF behind your load balancing tier. This optimizes for utilization, performance, and reliability while providing the protection necessary for all apps – but particularly for those exposed on the Internet.Is Cloudflare enough for security? ›
All Cloudflare customers are shielded by 197 Tbps of DDoS protection. Every server in every one of our 285 network locations runs the full stack of DDoS mitigation services to defend against the largest attacks.Do I need a WAF for my website? ›
A WAF can provide critical protection for any online business that must securely handle private customer data. Businesses typically deploy a WAF to shield their web applications from sophisticated and targeted attacks, like cross-site scripting (XSS) and SQL injection, that might result in fraud or data theft.Do all websites use Cloudflare? ›
Cloudflare is used by 76.3% of all the websites whose reverse proxy service we know. This is 18.1% of all websites.What attacks are blocked by WAF? ›
A web application firewall (WAF) protects web applications from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others. Attacks to apps are the leading cause of breaches—they are the gateway to your valuable data.Does Cloudflare protect against hackers? ›
Cloudflare is a content delivery network and a web security service. At the most basic level, it acts as a shield against all types of cyber attacks. It protects more than 10 million websites, including TripAdvisor, Udemy, Feedly, TransferWise, and others.How does Cloudflare protection work? ›
Cloudflare automatically detects and mitigates Distributed Denial of Service (DDoS) attacks Open external link using its Autonomous Edge. The Autonomous Edge includes multiple dynamic mitigation rules exposed as Cloudflare DDoS Attack Protection managed rulesets.How do I manage my domain with Cloudflare? ›
Log in to the Cloudflare dashboard Open external link , and select your account. Select Domain Registration > Manage Domains. Find the domain you want to check and select Manage. Refer to Registration for information regarding your domain fees.Why doesn t my Cloudflare page rule work? ›
The number one reason that a Page Rule isn't working, such as URL forwarding, is that the Page Rule you created is on a record that is not proxied by Cloudflare in your DNS settings. Example: You have a Page Rule that redirects a subdomain (subdomain.yoursitename.com) back to your root domain (yoursitename.com).
Firewall rules examine the control information in individual packets, and either block or allow them based on a set of rules or predetermined criteria. These predetermined criteria or rule components include a source IP address, a destination IP address, ports, protocol type (TCP, UDP, or ICMP), and services.How does Cloudflare protect DNS? ›
Cloudflare Managed DNS comes with built-in DNSSEC to protect your users from on-path attacks that can spoof or hijack your DNS records. DNSSEC adds an additional layer of security at every level in the DNS lookup process. The best part — you can easily deploy DNSSEC at the click of a single button.Is Cloudflare really necessary? ›
Cloudflare's security features can help to protect your website from a variety of attacks, including DDoS attacks, bots, and hackers. Additionally, the Cloudfare proxy system can improve your website's performance by caching content and reducing the load on your server.Does Cloudflare stop malware? ›
The actual scanning engine is the same one used by the Cloudflare Web Gateway, our forward proxy solution that among many other things, helps keep end user devices safe by blocking attempts to download malware.
Cloudflare does not enforce response limits, but cache limits for Cloudflare's CDN are observed. Maximum file size is 512 MB for Free, Pro, and Business customers and 5 GB for Enterprise customers.How do I make sure my website is secure? ›
A secure URL should begin with “https” rather than “http.” The “s” in “https” stands for secure, which indicates that the site is using a Secure Sockets Layer (SSL) Certificate. This lets you know that all your communication and data is encrypted as it passes from your browser to the website's server.Why is Cloudflare blocking my websites? ›
Cloudflare can block your IP address if it deems it dangerous or spammy, leaving you locked out. The problem typically lies in Cloudflare being over-protective and blocking IP addresses that do not pose any threat. But it can also be a browser issue.How do I enable HTTPS on Cloudflare? ›
- Log in to your Cloudflare account Open external link and go to a specific domain.
- Go to SSL/TLS > Edge Certificates.
- For Always Use HTTPS, switch the toggle to On.
Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.Does Cloudflare provide firewall? ›
The Cloudflare web application firewall (WAF) is the cornerstone of our advanced application security portfolio that keeps applications secure and productive.
In the Cloudflare vs. Google DNS comparison, both are leading DNS service providers with many valuable features. If you value your privacy and want to keep one step ahead of the competition, Cloudflare DNS (1.1. 1.1) is, in our view, the best option.What causes a website to be not secure? ›
Rest assured, a “Website not Secure” error doesn't necessarily mean that your device or site is infected with a virus, it simply means that the website that you are currently viewing does not have a SSL (secure sockets layer) certificate attached to it.Why does every website I go to say not secure? ›
It means that your browser can't verify the SSL certificate of the website you're trying to visit. In other words, your browser shows you this message when it isn't sure if the website will securely encrypt your data.Why is my website still not secure? ›
A Not Secure warning informs you that the browser is detecting an unencrypted connection to the website. There can be a variety of causes for this warning, but the common culprits include: The site is not using HTTPS. The site does not have a valid SSL certificate.How to bypass Cloudflare IP block? ›
Option #1: Send Requests To Origin Server It isn't always possible, but one of the easiest ways to bypass Cloudflare is to send the request directly to the websites origin servers IP address instead of to Cloudflare's CDN network.How do I remove Cloudflare block? ›
- Click the CloudFlare icon, located in the Domains section of your control panel.
- Scroll to the bottom of the page.
- Choose your domain name from the dropdown menu.
- Click the Disable button to disable CloudFlare.
Page Rules gives you the ability to control how Cloudflare works on a URL or subdomain basis. Page Rules allow you to customize Cloudflare's functionality to match your domain's unique needs. The number of Page Rules included with a domain is set by plan type.Should you always use HTTPS? ›
2: HTTPS is more secure, for both users and website owners. With HTTPS, data is encrypted in transit in both directions: going to and coming from the origin server. The protocol keeps communications secure so that malicious parties can't observe what data is being sent.How do I enable HTTPS on my website? ›
To use HTTPS with your domain name, you need a SSL or TLS certificate installed on your website. Your web host (Web Hosting Provider) may offer HTTPS security or you can request a SSL/TLS certificate from Certificate Authorities and install it yourself. SSL/TLS certificates may need to be renewed periodically.