Protect WordPress website from bots, automated spam comments and automated brute force login attacks using free Cloudflare Firewall.
Benefits:
- Detect and block bots on cloudflare before reaching your website.
- Reduce server load up to 20 times.
- No captcha automated solution for detecting bots.
- No plugin, no coding, easy setup, free solution.
Watch video tutorial on Youtube.
More WordPress optimization videos playlist.
What will be protected and why?
- Login page — protect from automated brute force attacks by bots. Brute force attack used to break your login by trying thousands username / password combinations.
- Comment Form — protect from automated spam comments.
- Search page — protect from automated search requests that can keep your website busy and crash.
These are three main areas of WordPress that will be protected from bots.
Cloudflare Anti-bot Firewall Instructions
Instructions to add custom Firewall rules for protecting WordPress websites from bad bots.
- Select domain in Cloudflare dashboard.
- Navigate to “Security” → “WAF” from menu.
- Click on “Custom Rules” tab.
- Click “Create Rule” button.
- Give descriptive name to the rule like “Antibot”.
- Set following values to Field, Operator and Value. Use “OR” operator between each rule:
URI Query String→strict wildcard→s=*URI Path→contains→/wp-login.phpURI Path→contains→/wp-comments-post.php
- For “Then take action…” field select “JS Challenge” value.
- Click “Save” button at the bottom.
New firewall rule will be activated. After couple hours you can see percentage of requests that passed JS Challenge.
“JS Challenge” protection is used to detect bots. After applying custom firewall rules for my website 95% of all requests identified as Bot and blocked.
By using these free firewall rules we protect our wordpress website from bot attacks and reduce server load. Before protection 95% of server computational resources were wasted by bots accessing our website.
Additionally you can define how long human verification will be valid by navigating to “Security” → “Settings” page.
Easy to Copy Expression version of antibot Cloudflare Firewall rules for WordPress websites:
(http.request.uri.query strict wildcard r"s=*") or (http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-comments-post.php")
How these custom Firewall Rules Work?
We used 3 custom rules to show JS Challenge. When user visits protected page they will see custom Cloudflare page that uses JavaScript to detect if visitor is human or bot.
When JS Challenge detects human it will pass through and show protected page, complete desired action. It will also store challenge result for set amount of time that is defined in settings.
When JS Challenge detects bot then it will show Error page from Cloudflare. Bots will not reach your server.
It works slightly different for each rule that we created here:
- Login page — visitor will see “JS Challenge” before viewing login page. They cannot view or submit login form without passing validation.
- Comment form — visitor will see “JS Challenge” after viewing and submitting comment form.
- Search page — visitor will see “JS Challenge” after viewing and submitting search form.
This means that viewing posts and pages are not restricted and not challenged. Challenge will trigger only when search or comment form submitted in posts and pages.
These protection behaviour keeps WordPress website fully accessible for humans and bots (good and bad bots) for reading public content. Protection happens when they try to submit form or login to admin area.
FAQ
Is Cloudflare Firewall enough for protecting WordPress from bad bots?
No. Cloudflare Firewall is only one layer of protection. You may need to add other layers like limiting number of requests, blocking by number of failed login attempts etc.
Will these rules protect from all spam comments?
No, it can only protect from automated spam posted by bots. It will reduce number of spam submissions but will not detect human submitted spam. To prevent human submitted spam use “Comment must be manually approved” option in WordPress “Settings” → “Discussion” page.
How good is “JS Challenge” at preventing spam?
JS Challenge prevented all spam and malicious activity reaching WordPress website.
Here is the screenshot of report before and after applying custom firewall rules with JS Challenge action. It shows that Cloudflare prevented all spam comments that were previously blocked by WordPress security plugin.
JS Challenge performance results can be viewed in Cloudflare interface as well. Stats shown in above video tutorial.
Do I need to use Proxy mode for Cloudflare Firewall?
Yes, Cloudflare Firewall will work only if your website uses Proxy mode. Proxy mode enables many features like caching, DDOS protection, SSL certificate, latest HTTP versions, CDN etc.
Will these firewall rules affect Google Bot?
These rules are not affecting public pages so Google Bot can continue crawling them as before. Google is a web crawler and it should not access login page, post comments or crawl search pages.
Can Google fetch pages protected by Cloudflare JS Challenge?
No, Google bot cannot fetch those pages. Protected pages will return “403 Access Forbidden” response code. Google will not read content of those pages and cannot index them.
Screenshot shows that Google Crawl request returned 403 Access Forbidden response for page protected with JS Challenge.
Should I protect All pages using JS Challenge?
No, because public pages on your WordPress website should be accessible by Search Bots (google, bing etc.) in order to get search traffic.
Social media sites (bots) also need to access your website without JS Challenge restriction in order to generate page preview fetching data (thumbnail, title, description) from your web page.
Conclusion
Cloudflare firewall rules are easy way of preventing bots from accessing vulnerable areas of any WordPress website. We have seen how easy and effective it is to protect login page, comment posting and search pages on your website.
More WordPress optimization tutorials using free Cloudflare (without plugin):
- Cache rules for dynamic WordPress pages.
- Cache static WordPress page assets.
- Serve WordPress over HTTPS using Cloudflare.
- Block useless crawlers using “User Agent” in Cloudflare.
What is next:
- Check how I get 100 Page Speed Score for WordPress website.
- Download WordPress speed optimization checklist.