Cloudflare offer and interesting products on the free and pro plan that attracted my attention towards it. Which is the WAF features and it also automatically challenge the request from TOR web browser. As my website is legitimate and didnt collect any unnecessary information as it is a company page, i cannot think other possibilities for the visitor have malicious attention towards my website.
Lets get into the topics. So i try the free version and highly satisfied with the result with the below setup on the WAF Rules;
Block Request to wp-login and xmlrpc.
Note: i done this fully knowingly it will also blocked my own access to the wordpress. Because i dont access using wp-login instead im access through cpanel, so i didnt find this bothering me. If you want to setup the same as me but still want to access your wp-login, you just need to add some exlcusion either specifically to your own ip, or if theres multiple people or dynamic ip, you can put exclusion using “and” “not in” “your country”. This rules will exclude your country IP.
To make it more secure, you can add special rules for your country IP with condition that if visitor to wp login is in your allowed geo IP, then set “Challenge”. Do be warned though, Cloudflare Challenge are annoying.
Even only with this i has significantly reduce the number of malicious bot visitor ip blocked on my webhost on my websites which been bugging me on my security plugin i installed on my WordPress. Why this is important? as the Malicious Bot already blocked on the Cloudflare level, those IPs will not flood my server bandwidth with such request.
Then im kind of interested to try the WAF Managed rules that provided by Cloudflare via it Pro Plan. So i try it products for a month to try and see either the special rules for pro set by cloudflare is applicable or worth to be invested in. Please take note that i didnt questioned the CDN functionality, analytic functionality on Pro version. It just either im using this features or not.
Well after 1 month, i found the special rules block is interesting but vs against my pre setup rules, it not worth it.
But there are few rules block that i found interesting and can be applied depends on application that we used. In my case there’s my app that used laravel which has “.env” files which contain many sensitive information it it was misconfigured allowed to the public. But by default, usually access to those files are blocked to the outside access and only accessible via backend.
So i add another block as per below;
Block Request to contain .env request.
Then I found theres another request block by Cloudflare, the weird request might probably malicious request. The request are as per below;
/wp-admin/admin-ajax.php
The request is so weird from ip located outside of my country, which is really suspicious. i think i will implement this in my own firewall rules instead dependent of cloudflare.
Thats all for today, i plan to observe for another month to see if there’s anything else, but for the time being, using Pro version did not seem worth it to me.