Blog

Below are the Cloudflare WAF rules deployed on Positive Medium’s Managed WordPress Hosting to safeguard our clients’ websites. These rules can be implemented by anyone using Cloudflare’s free plan.

Customize the country block list based on your client’s needs. Keep the US unblocked, as Google and other essential services typically operate from US-based IP addresses. To implement these rules, copy them and paste into Cloudflare’s WAF “expression builder.”

Set the action to “block” for all rules.

Country and ASN blocks

(ip.geoip.country in {"AF" "BD" "BN" "BG" "CF" "CN" "CZ" "PF" "IR" "IQ" "KZ" "KP" "PK" "PA" "PL" "RO" "RU" "SC" "SK" "SI" "LK" "TR" "TM" "UA"}) or (ip.geoip.asnum in {9009 22295 206216 14061 16509 30823 396982 14956 62610 36007 51167 22611 22612 206092 398779 16276 206216 36352 396356 40021 398101 33363 132203 1101 214943 53667 210558 40021 38719
})

Login/wp-admin block

(http.request.uri.path contains "/wp-login.php" and ip.geoip.country ne "[YOUR_COUNTRY]") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php" and ip.geoip.country ne "[YOUR_COUNTRY]")

I’ve used country as the example, but you can substitute other criteria such as your IP address, IP range, ASN, etc.

Block XMLRPC access and wp-content/wp-includes access block

(http.request.uri eq "/xmlrpc.php") or (http.request.uri.path contains "/wp-content/" and not http.referer contains "[YOUR_DOMAIN_NAME]") or (http.request.uri.path contains "/wp-includes/" and not http.referer contains "[YOUR_DOMAIN_NAME]")

Note: If your site is shared on social media platforms like LinkedIn or Facebook, add
and not http.request.uri.path contains "/wp-content/uploads/"
to prevent blocking uploaded images, as these won’t contain a site referrer.

You can consolidate all of these into a single rule if preferred. My current Cloudflare rule structure consists of three tiers: Allow/Skip (for Let’s Encrypt, ManageWP, and other essential services), Block, and Challenge.