How to set up Cloudflare Page- and Firewall Rules

In this post, we will look at Cloudflare page rules and Cloudflare firewall rules.
Page rules will be used for HTML caching and firewall rules will be used to increase the security of your WordPress website.

I will skip the initial setup of Cloudflare (changing nameservers etc), please look at Cloudflares official documentation.

Note before you read on: my opinion is that any Cloudflare product isn’t GDPR compliant at the moment, so proceed at your own discretion.

Introduction to Cloudflare

As you probably know Cloudflare is the biggest CDN provider, at least that’s my wild guess.
Cloudflare offers a free plan, that you should make use of. At least for DNS management, because there is an endless amount of good documentation and Cloudflare offers one of the fastest DNS services (yes, faster than Google) for FREE.
Alone by using their DNS you can shave off 10-100ms or even more depending on your host.

The free plan also comes with some basic security and performance options. To get the most out of those you’ll need to set up page rules and firewall rules.

In the free plan, you’re allowed to set up 3 page rules and 5 firewall rules. More rules cost extra, I believe it’s somewhat around 5$ for 5 rules, but I’d rather invest those 5$ in other Cloudflare add-ons, like APO (automatic platform optimization).

If you’re looking to maximize the benefits of Cloudflare beyond the free plan, consider finding a Cloudflare expert at toptal.com who can help you set up and optimize your account.

Cloudflare Caching Plugin

I would recommend setting up this plugin if you’re using the Cloudflare free plan. It offers direct integration into Cloudflare and some more control over how things work.

If you’re using another caching plugin check the FAQ at the end of the article.

You only need to set up the *preview=true* rule manually and extend the wp-admin rule.

Plus it also provides an integrated fallback cache if the CDN cache is missed. Also provides options and hints for certain plugins you have installed to work correctly with Cloudflare.

Do not skip this unless you can’t use it for some reason or definitely know what you’re doing.

The plugin can be found in the WP Repo:
Super Page Cache for Cloudflare

Setup Guide for the plugin likely following soon.

Page Rules

Before we set up caching rules, go to the Caching tab and click the configuration option. There you’re looking for Browser Cache TTL, set this to “Respect existing headers”.

To access the page rules go to your Cloudflare dashboard and select Rules in the left sidebar panel, there you will find the option Page Rules.

Now create the 3 rules you’re allowed according to my screenshots (click to enlarge, written version below for screenreader users):

Cloudflare dashboard showing the WP-Admin page rule
Cloudflare dashboard showing the WP-Preview page rule
Cloudflare dashboard showing the Cache Everything page rule

The first rule:

URL is https://yoursite.com/wp-admin*

Settings:
Browser Integrity Check set to on
Security Level set to High
Cache Level set to Bypass
Disable Performance set

The second rule:

URL is https://yoursite.com/*preview=true*

Settings:
Cache Level set to Bypass

The third rule:

URL is https://yoursite.com/*

Settings:
Browser Cache TTL set to a month (or whatever you prefer)
Cache Level set to Cache Everything

Afterwards your dashboard should look like this (it is very important to have the rules in exactly the order explained above, because the cache everything needs to be last)

Cloudflare Dashboard Overview of Page Rules

Firewall Rules

Click the Security Tab on your Cloudflare Dashboard Panel and then click WAF.
Create a new Firewall Rule.

If you’re interested in security you should take a look at my Security Guide for WordPress

First Rule: Locking down WP-Admin

Give the rule a name you can remember, i chose “WP-login and WP-admin”.
This rule will block other countries accessing wp-login or wp-admin. This will drastically reduce the bot traffic to those entry points.

Set up the following:
URI Path > Contains > /wp-login.php
AND
Country > does not equal > your country
OR
URI Path > Contains > /wp-admin/
AND
Country > does not equal > your country
AND
URI Path > does not equal > /wp-admin/admin-ajax.php

Note: If you’re logging in from multiple countries you can replace “does not equal” with “is not in” and add multiple countries.

THEN: Block

Expression to copy & paste (replace DE with your country code) + screenshot: 

(http.request.uri.path contains "/wp-login.php" and ip.geoip.country ne "DE") or (http.request.uri.path contains "/wp-admin/" and ip.geoip.country ne "DE" and http.request.uri.path ne "/wp-admin/admin-ajax.php")
Cloudflare dashboard showing the WP-Admin lockdown firewall rule

Second Rule: Threat Score

I called this rule “Threat Score” because this is what its based on.
This rule will challenge a visitor with a certain threat score.
You can read more about threat scores in Cloudflares documentation.

Set up
Threat Score > greater than > 10
Then: Managed Challenge

Expression to copy & paste + screenshot: 

(cf.threat_score gt 10)
Cloudflare dashboard showing the threat score managed challenge rule

Third Rule: Lock down WordPress

This rule will block direct access to your wp-includes and wp-content directory.
But adding the referer rule will still allow access from your site.
If you need to allow access from somewhere outside your site directly (for example because you’re sending links to uploaded pdfs via e-mail) then add an exception.

Set up:
URI > equals > /xmlrpc.php (only if you don’t use xmlrpc, which you likely don’t)
OR
URI Path > contains > /wp-content/
AND
Referer > does not contain > yourdomain
AND
URI Path > does not contain > whatever filetype exception you need
OR
URI Path > contains > /wp-includes/
AND
Referer > does not contain > yourdomain

THEN: Block

Expression to copy & paste (replace pressimize.com with your domain) + screenshot: 

(http.request.uri eq "/xmlrpc.php") or (http.request.uri.path contains "/wp-content/" and not http.referer contains "pressimize.com" and not http.request.uri.path contains ".pdf") or (http.request.uri.path contains "/wp-includes/" and not http.referer contains "pressimize.com")
Cloudflare dashboard showing the Lock Down WordPress rule

Managed Rules

At the point of writing i do not have access to the Cloudflare managed rules.
I will add more information about them once i have access.

Bonus: Security Settings

Inside the Security Tab in the left side panel, you’ll find the settings item.
If you click there you’ll find further options.

I’d recommend setting up the Security Level according to the threat score you chose in the Firewall Rule. I chose Medium.

Challenge Passage sets the time how long the visitor is granted access (before possibly being issued a new challenge) after passing a challenge – I chose 1 day.

Browser Integrity Check and Privacy Pass Support should be set to on.

Frequently Asked Questions

Can i use all of this in the free plan?

Yes, you only need the free CF Plan and proxy your site through Cloudflare (orange cloud active)

What if i use a caching plugin?

If you already use a caching plugin you can replace it with Super Page Cache. You can also configure most caching plugins to only optimize assets like JS / CSS but not cache HTML and leave this for Super Page Cache.

What caching plugins are compatible?

I’ve tested this setup with FlyingPress* and SwiftPerformance* (use coupon “Pressimize” for 15% off), if you can’t make it work yourself, support will gladly do.

Sharing is caring

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *