A few years ago, I created some custom firewall rules on Cloudflare to help protect my client’s sites from bots, spammers, hackers, etc. Over the years, those rules have helped stop thousands, if not millions, of attacks on my clients and other websites hosted/managed by designers/marketers from The Admin Bar Facebook Group.
I am a HUGE FAN of Cloudflare and highly recommend it for everyone. I have clients on the Free, Pro, and Business plans. Cloudflare is a saving grace for anyone hosting and/or managing websites. After much testing and changing the rules, I finally have my version 3 ready. The rules are similar to my old rules but for the better. I kept it under 5 rules so they’ll work with any Cloudflare Plan.
Table of Contents
Main Rules
Allow Good Bots
The “Allow Good Bots” rule grants full, unrestricted access to bots that you approve of, including those you manually add and those classified as safe by Cloudflare.
Cloudflare provides information about bots in the verified bots categories.
Cloudflare Radar Verified Bots
While you can customize this list to suit your needs, Cloudflare generally does an excellent job of allowing legitimate bots through its Known Bot and Verified Bot categories.
(cf.client.bot) or (cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher"}) or (http.user_agent contains "letsencrypt" and http.request.uri.path contains "acme-challenge")
Modified Good Bots
Ensure that you include the “Verified Bots” category in your existing Allow/Skip Good Bot rule.
I added everything under Verified Bot Category except for AI Crawler, Aggregator, and Other.
YOU ONLY NEED TO DO THIS PART IF YOU ALREADY HAVE A GOOD BOT RULE. IF YOU ARE STARTING FRESH YOU CAN IGNORE THE MODIFIED ALLOW GOOD BOT RULE.
or (cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher"}) or (http.user_agent contains "letsencrypt" and http.request.uri.path contains "acme-challenge")
Aggressive Crawlers
The “Aggressive Crawlers” rule is designed to block overly persistent bots. While it effectively prevents many fake bots, it can also block aggressive SEO crawler bots.
(http.user_agent contains "yandex") or (http.user_agent contains "sogou") or (http.user_agent contains "semrush") or (http.user_agent contains "ahrefs") or (http.user_agent contains "baidu") or (http.user_agent contains "python-requests") or (http.user_agent contains "neevabot") or (http.user_agent contains "CF-UC") or (http.user_agent contains "sitelock") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not cf.client.bot) or (http.user_agent contains "Bot" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) or (http.user_agent contains "mj12bot") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "mojeek") or (ip.geoip.asnum in {135061 23724 4808} and http.user_agent contains "siteaudit")
Challenge Large Providers / Country
This rule addresses two key issues. It manages challenge connections from VPS servers hosted on Google Cloud, Amazon EC2, and Azure, as well as visitors from outside your country of origin.
Hackers and spammers often use VPS servers from Google, Amazon, and Azure to launch rapid attacks on sites or waste resources by scanning them. These servers can be active for a day or longer, consuming resources and posing a threat to your site.
(ip.geoip.asnum in {7224 16509 14618 15169 8075 396982} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"}) or (not ip.geoip.country in {"US"} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"} and not http.request.uri.path contains "acme-challenge" and not http.request.uri.query contains " ?fbclid" and not ip.geoip.asnum in {32934})
If you do not want to manage challenge outside the country of origin use the rule below.
(ip.geoip.asnum in {7224 16509 14618 15169 8075 396982} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"} and not http.request.uri.path contains "acme-challenge")
Challenge Path / VPN Managed Challenge
This rule tackles two primary concerns: it manages challenge connections from VPN providers and monitors access to specific paths (wp-login.php and xmlrpc.php).
(ip.geoip.asnum in {60068 9009 16247 51332 212238 131199 22298 29761 62639 206150 210277 46562 8100 3214 206092 206074 206164 213074}) or (http.request.uri.path contains "wp-login")
Block Web Host / Paths / TOR
This rule includes a list of web hosts I have compiled over the years. While it doesn’t cover every host, it does encompass many of the major ones. Additionally, this rule blocks access to paths such as xmlrpc.php, wp-config.php, and wlwmanifest. It also includes AI Crawler and other bots from the Cloudflare Verified Bot list.
In my experience, the risk outweighs the benefit, so I keep mine set to "Block" and do the same for my largest client's site. They run an eCommerce site and have experienced significant fraud. Since we started blocking VPNs, their fraud incidents have decreased.
(ip.geoip.asnum in {26496 31815 18450 398101 50673 7393 14061 205544 199610 21501 16125 51540 264649 39020 30083 35540 55293 36943 32244 6724 63949 7203 201924 30633 208046 36352 25264 32475 23033 32475 212047 32475 31898 210920 211252 16276 23470 136907 12876 210558 132203 61317 212238 37963 13238 2639 20473 63018 395954 19437 207990 27411 53667 27176 396507 206575 20454 51167 60781 62240 398493 206092 63023 213230 26347 20738 45102 24940 57523 8100 8560 6939 14178 46606 197540 397630 9009 11878}) or (http.request.uri.path contains "xmlrpc") or (http.request.uri.path contains "wp-config") or (http.request.uri.path contains "wlwmanifest") or (cf.verified_bot_category in {"AI Crawler" "Other"}) or (ip.geoip.country in {"T1"})
Additional Options
Whitelisting Server IP
Since we are blocking some website hosts, adding your web server IP to the Security—WAF—Tools section on Cloudflare is a must to ensure your cron jobs continue working.
Disable Onion Routing
As mentioned above, I do not allow TOR to TOR exit nodes, so I also turn off the Cloudflare Onion Routing Setting. The setting is located under the network tab on Cloudflare.
You can learn more about TOR and Onion Routing on Cloudflare’s KB. Onion Routing and Tor support
Thank you for your support
I hope you enjoy the Cloudflare WAF security rules I’ve shared. If you found them helpful and would like to show your support, consider buying me a coffee. Your generosity is greatly appreciated!
Course Sign up
I’m creating a Cloudflare course where I will cover each aspect of Cloudflare and share how I utilize it. If you’d like to be notified when the course is ready, please sign up below.