Cloudflare WAF Rules V3

A few years ago, I created some custom firewall rules on Cloudflare to help protect my client’s sites from bots, spammers, hackers, etc. Over the years, those rules have helped stop thousands, if not millions, of attacks on my clients and other websites hosted/managed by designers/marketers from The Admin Bar Facebook Group

I am a HUGE FAN of Cloudflare and highly recommend it for everyone. I have clients on the Free, Pro, and Business plans. Cloudflare is a saving grace for anyone hosting and/or managing websites. After much testing and changing the rules, I finally have my version 3 ready. The rules are similar to my old rules but for the better. I kept it under 5 rules so they’ll work with any Cloudflare Plan.

Table of Contents

Main Rules

Allow Good Bots

The “Allow Good Bots” rule grants full, unrestricted access to bots that you approve of, including those you manually add and those classified as safe by Cloudflare.

Cloudflare provides information about bots in the verified bots categories.

Verified Bots KB

Cloudflare Radar Verified Bots

While you can customize this list to suit your needs, Cloudflare generally does an excellent job of allowing legitimate bots through its Known Bot and Verified Bot categories.

Edit Content
				
					(cf.client.bot) or (cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher"}) or (http.user_agent contains "letsencrypt" and http.request.uri.path contains "acme-challenge")

				
			

Modified Good Bots

Ensure that you include the “Verified Bots” category in your existing Allow/Skip Good Bot rule.

I added everything under Verified Bot Category except for AI Crawler, Aggregator, and Other.

Edit Content
				
					or (cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher"}) or (http.user_agent contains "letsencrypt" and http.request.uri.path contains "acme-challenge")
				
			

Aggressive Crawlers

The “Aggressive Crawlers” rule is designed to block overly persistent bots. While it effectively prevents many fake bots, it can also block aggressive SEO crawler bots. 

Edit Content
				
					(http.user_agent contains "yandex") or (http.user_agent contains "sogou") or (http.user_agent contains "semrush") or (http.user_agent contains "ahrefs") or (http.user_agent contains "baidu") or (http.user_agent contains "python-requests") or (http.user_agent contains "neevabot") or (http.user_agent contains "CF-UC") or (http.user_agent contains "sitelock") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not cf.client.bot) or (http.user_agent contains "Bot" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) or (http.user_agent contains "mj12bot") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "mojeek") or (ip.geoip.asnum in {135061 23724 4808} and http.user_agent contains "siteaudit")
				
			

Challenge Large Providers / Country

This rule addresses two key issues. It manages challenge connections from VPS servers hosted on Google Cloud, Amazon EC2, and Azure, as well as visitors from outside your country of origin.

Hackers and spammers often use VPS servers from Google, Amazon, and Azure to launch rapid attacks on sites or waste resources by scanning them. These servers can be active for a day or longer, consuming resources and posing a threat to your site.

Edit Content
				
					(ip.geoip.asnum in {7224 16509 14618 15169 8075 396982} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"} and not http.request.uri.path contains "acme-challenge") or (not ip.geoip.country in {"US"} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"} and not http.request.uri.path contains "acme-challenge")

				
			
Edit Content
				
					(ip.geoip.asnum in {7224 16509 14618 15169 8075 396982} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"} and not http.request.uri.path contains "acme-challenge")
				
			

Challenge Path / VPN Managed Challenge

This rule tackles two primary concerns: it manages challenge connections from VPN providers and monitors access to specific paths (wp-login.php and xmlrpc.php).

Edit Content
				
					(ip.geoip.asnum in {60068 9009 16247 51332 212238 131199 22298 29761 62639 206150 210277 46562 8100 3214 206092 206074 206164 213074}) or (http.request.uri.path contains "wp-login")
				
			

Block Web Host / Paths / TOR

This rule includes a list of web hosts I have compiled over the years. While it doesn’t cover every host, it does encompass many of the major ones. Additionally, this rule blocks access to paths such as xmlrpc.php, wp-config.php, and wlwmanifest. It also includes AI Crawler and other bots from the Cloudflare Verified Bot list. 

Edit Content
				
					(ip.geoip.asnum in {26496 31815 18450 398101 50673 7393 14061 205544 199610 21501 16125 51540 264649 39020 30083 35540 55293 36943 32244 6724 63949 7203 201924 30633 208046 36352 25264 32475 23033 32475 212047 32475 31898 210920 211252 16276 23470 136907 12876 210558 132203 61317 212238 37963 13238 2639 20473 63018 395954 19437 207990 27411 53667 27176 396507 206575 20454 51167 60781 62240 398493 206092 63023 213230 26347 20738 45102 24940 57523 8100 8560 6939 14178 46606 197540 397630 9009 11878}) or (http.request.uri.path contains "xmlrpc") or (http.request.uri.path contains "wp-config") or (http.request.uri.path contains "wlwmanifest") or (cf.verified_bot_category in {"AI Crawler" "Other"}) or (ip.geoip.country in {"T1"})

				
			

Additional Options

Whitelisting Server IP

Since we are blocking some website hosts, adding your web server IP to the Security—WAF—Tools section on Cloudflare is a must to ensure your cron jobs continue working. 

Disable Onion Routing

As mentioned above, I do not allow TOR to TOR exit nodes, so I also turn off the Cloudflare Onion Routing Setting. The setting is located under the network tab on Cloudflare. 

You can learn more about TOR and Onion Routing on Cloudflare’s KB. Onion Routing and Tor support

Thank you for your support

I hope you enjoy the Cloudflare WAF security rules I’ve shared. If you found them helpful and would like to show your support, consider buying me a coffee. Your generosity is greatly appreciated!

Course Sign up

I’m creating a Cloudflare course where I will cover each aspect of Cloudflare and share how I utilize it. If you’d like to be notified when the course is ready, please sign up below.

Name(Required)
Email(Required)