Cloudflare Security Rules You Can Copy Today (Bots, IPs, and Paths)
.webp "Cloudflare Security Rules – Copy Today")
Most sites don’t need a complex SOC to cut 80% of junk traffic. A few smart Cloudflare rules will block obvious bots, throttle abusive IPs, and protect admin paths—without hurting SEO or human visitors. Here’s a copy‑paste set you can apply in minutes.
What you’ll get
-
Ready‑made Firewall/WAF and Bot Fight Mode rules
-
Safe IP and country filters (with allowlists)
-
Path protections for admin and APIs
-
A rollback plan if anything breaks
Before you start (quick setup)
-
Turn on Bot Fight Mode (free) to kill obvious scrapers.
-
Set Security Level to Medium at first.
-
Add your IP(s) to an allowlist so you don’t get blocked while testing.
-
Use “Log” or “JS Challenge” for 24 hours before going straight to “Block.”
Section 1 — Bot and automation filters (copy‑paste patterns)
A) Block empty or fake user agents
-
Expression:
(not http.user_agent) or (len(http.user_agent) < 5) -
Action: Block
-
Notes: Real browsers always send a recognizable UA. Short/empty UAs are usually scripts.
B) Challenge suspicious headless browsers
-
Expression:
http.user_agent contains "Headless" or http.user_agent contains "PhantomJS" or http.user_agent contains "Selenium" -
Action: Managed Challenge
-
Notes: Great middle ground—lets legit testing through while stopping mass automation.
C) Rate‑limit aggressive crawlers hitting HTML
-
Go to: Security → WAF → Rate Limiting Rules → Create
-
Traffic matched: URI Path contains “/” AND Method equals GET
-
Threshold: 100 requests per 60 seconds per IP (tune to your traffic)
-
Action: Managed Challenge for 10 minutes
-
Notes: Keeps burst crawls from nuking your origin.
D) JS challenge for known bad ASNs (example)
-
Expression:
ip.geoip.asnum in {“AS14061” “AS9009” “AS16276”} -
Action: JS Challenge
-
Notes: Replace with ASNs seen abusing your site under Security → Events. Start with challenge, not block.
Section 2 — IP, ASN, and country controls
A) Allowlist your office/home IP
-
Expression:
ip.src in { x.x.x.x } -
Action: Bypass (Security Level and WAF)
-
Notes: Add multiple if needed. Helpful for safe admin access and testing.
B) Soft‑block hostile traffic countries (if you’re regional)
-
Expression:
ip.geoip.country in {"RU" "KP" "CN"} and not ip.src in {your allowlist} -
Action: Managed Challenge
-
Notes: Only if your audience is not from these regions. Prefer challenge over block.
C) Temporary block on abusive IPs
-
Go to: Security → WAF → Tools → IP Access Rules
-
Add offending IP/CIDR → Block for 24–72 hours
-
Notes: Use after an incident; don’t rely on manual blocking long‑term.
Section 3 — Protect sensitive paths (admin, login, API)
A) Lock down admin paths (Blogger/WordPress examples)
-
Expression:
http.request.uri.path matches "^/(wp-admin|wp-login\.php|admin|backend|cpanel)(/|$)"
and not ip.src in { your trusted IPs } -
Action: Managed Challenge (or Block for brute force)
-
Notes: If you need global access, use challenge; if only you log in, consider allowlist + block.
B) Throttle XML‑RPC and login brute force
-
Rate Limiting Rule
-
URI Path equals “/xmlrpc.php” OR equals “/wp-login.php”
-
Methods: POST
-
Threshold: 10 requests per 60 seconds per IP
-
Action: Managed Challenge (10 minutes)
-
-
Notes: Cuts automated password guessing.
C) Protect APIs and admin JSON
-
Expression:
(http.request.uri.path contains "/api/" or http.request.uri.path contains "/wp-json/")
and (http.request.headers["cf-visitor"] ne "") -
Action: JS Challenge
-
Notes: Tune to your framework; if you have a public API, set per‑key rules instead.
D) Block access to config backups
-
Expression:
http.request.uri.path matches "(?i).*\.(env|bak|old|sql|zip)$" -
Action: Block
-
Notes: Prevents common scans for leaked configs and backups.
Section 4 — SEO‑safe allowances (don’t break Google/Bing)
A) Always allow major search engine crawlers
-
Method: Use Cloudflare’s WAF “Known Bots” → Allow
-
Or explicit UA pass:
-
Expression:
cf.client.bot -
Action: Bypass (Security Level and Rate Limiting)
-
-
Notes: cf.client.bot recognizes verified bots (Googlebot, Bingbot, etc.).
B) Bypass cache rules for previews
-
If using link preview/social cards, ensure:
-
Expression:
http.request.headers["user-agent"] contains "Discordbot" or "Twitterbot" or "Slackbot" -
Action: Bypass (Cache and Security)
-
-
Notes: So previews aren’t blocked/challenged.
Section 5 — Page Rules / Cache Rules quick wins
A) No cache for admin paths
-
Cache Rules:
-
If Path matches “/wp-admin/” or “/admin/”
-
Cache: Bypass
-
-
Notes: Avoid serving stale admin screens.
B) Cache static assets aggressively
-
Path: “.css” “.js” “.jpg” “.png” “*.webp”
-
Cache: Cache everything, Edge TTL 1 month, Browser TTL 1 week
-
Notes: Improves speed and LCP; pair with versioned filenames.
Section 6 — Bot Fight Mode and Super Bot Fight (SBFS)
-
Free: Turn on Bot Fight Mode in Security → Bots.
-
Pro/Business (SBFS):
-
Definitely Block Verified Bot? OFF (keep search engines)
-
Likely Automated: Managed Challenge
-
Definitely Automated: Block
-
Allow Known Bots: ON
-
-
Notes: Start conservative—monitor events for false positives, then tighten.
Section 7 — Incident quick‑response presets
A) Scraper spike on a single path
-
Temporary WAF rule:
-
Expression:
http.request.uri.path eq "/your-popular-post" and not cf.client.bot -
Action: JS Challenge
-
Remove after the spike.
-
B) Layer 7 flood from rotating IPs
-
Raise Security Level to High for 24h
-
Lower rate‑limits temporarily (e.g., 60 req/60s) and challenge
-
Enable “Under Attack Mode” if users can accept an interstitial for a few minutes
C) Credential stuffing on login
-
Tighten login rate‑limit to 5 req/60s
-
Block offender ASNs for 24h
-
If you can, move login to a non‑standard path and update the rule path list
Section 8 — Monitoring and rollback
-
Security → Events: sort by Action = Block/Challenge; check false positives
-
Firewall Analytics: see top Rules triggering, ASNs, Countries
-
Keep a “Safe Mode” toggle:
-
Duplicate each rule with Action = Log
-
Disable hard “Block” rules quickly if something breaks
-
-
Change log: Maintain a simple Sheet (date, rule name, expression, action, result)
Copy‑paste library (expressions only)
-
Empty or tiny UA:
(not http.user_agent) or (len(http.user_agent) < 5) -
Headless browsers:
http.user_agent contains "Headless" or http.user_agent contains "PhantomJS" or http.user_agent contains "Selenium" -
Bad file extensions (leaks/backups):
http.request.uri.path matches "(?i).*\.(env|bak|old|sql|zip)$" -
Admin paths (common):
http.request.uri.path matches "^/(wp-admin|wp-login\.php|admin|backend|cpanel)(/|$)" -
Known bots allow:
cf.client.bot -
ASN challenge (sample):
ip.geoip.asnum in {"AS14061" "AS9009" "AS16276"} -
Country challenge (sample):
ip.geoip.country in {"RU" "KP" "CN"} and not ip.src in { x.x.x.x }
Featured image (thumbnail)
-
Image title: Cloudflare Security Rules – Copy Today
-
ALT text: Cloudflare security rules to block bad bots, filter risky IPs, and protect admin paths, with copy‑paste expressions
-
File name: cloudflare-security-rules-copy-today.webp
-
Text on image: “Cloudflare Rules You Can Copy”
-
Style: clean, high‑contrast; shield + bot icon over network grid; 1200×628
FAQs
Q1: Will these rules block Googlebot?
A: No—cf.client.bot identifies verified crawlers and is allowed in the rules. Keep “Allow Known Bots” ON.
Q2: Should I use Block or Challenge?
A: Start with JS/Managed Challenge. If abuse persists and false positives are zero, escalate to Block.
Q3: My users complain about a page not loading after rules—what now?
A: Disable the last rule you added, switch it to “Log” for testing, and check Security → Events for hits. Whitelist legitimate IPs/paths if needed.
Q4: Do I need a paid Cloudflare plan?
A: Most basics work on Free/Pro. Super Bot Fight and some WAF features are on Pro/Business. Start free and upgrade if abuse is constant.
CTA
Want a one‑page rule pack (JSON) you can import into Cloudflare WAF? Comment “RULE PACK” and I’ll prep a safe default you can tweak for your site.
Join the conversation