There are over 800 million sites that use WordPress, and many of those have suffered from damaging attacks. Statistics show that 1 in every 25 WordPress sites will suffer some form of hack or malicious attack. That means the information of billions of users could be susceptible to some hacker or spam bot. While some of those spam attacks are stopped with basic captcha or honeypots, there are more advanced forms of attacks like: bruce-force attacks, bot scraping, AI crawlers, or more deceptive forms of phishing. That’s why so many WordPress users have turned to Cloudflare.

After launching over 500 websites, we’ve seen firsthand how bad spam and attacks can get. Wordfence captcha and other security plugins do a great job at blocking a lot of the noise, but they don’t stop everything. When the attacks ramp up—whether it’s relentless spam submissions, brute-force login attempts, or full-on DDoS attacks—there’s only one solution we rely on for our clients: Cloudflare.

By analyzing the web traffic that comes into your website with algorithms and threat analysis, Cloudflare can block malicious content and users before they ever hit your homepage. For our clients who’ve been vulnerable to attacks, Cloudflare has been a game changer and a lifesaver. Not only could it save you a ton of hassle but it could save you from a data breach that could affect both you and your users.

With the increasing number of attacks across the web, a service like Cloudflare can protect against threats without much effort. All it takes is some basic rules and settings to get your site the protection it needs.

In this guide, we’re going to talk about which data and protections your WordPress website needs and how to set it up in Cloudflare.

Setting Up Cloudflare WAF for WordPress Security

Cloudflare knows how to protect your WordPress site, but that does mean you’ll have to make some adjustments to the settings to get the right protection.

First, let’s get to the WAF settings in Cloudflare before we make any changes.

  1. Navigate to Your Account page
  2. Choose Website
  3. Then Security
  4. Find and click WAF
  5. Then finally select Custom Rules Tab

This will then allow you to make adjustments to the WAF (Web Application Firewall). To put it simply, you’re creating a barrier around your website that analyzes any incoming request. It determines whether or not the URL or IP is suspicious and then blocks those requests as needed.

Now let’s talk about what the Cloudflare on your WordPress site needs to protect.

Using Cloudflare to Protect WP Logins, WP Admin,
and xmlrpc.php

The simplest form of an attack, a brute force attack, is where a malicious bot or user will use a tool to try as many passwords as possible on your page. That’s made easier due to the /wp-admin/ part of the URL structure of some WordPress websites.

Studies show that 30% of online users still don’t have complex logins or strong password practices. That means many users could still be using “1234” as their password, and that leaves WordPress sites vulnerable to brute-force attacks.

Here’s how you can stop that from happening with a Cloudflare rule:

  1. Add this WAF rule to block unauthorized access:
(http.request.uri.path contains "wp-login.php" and not ip.geoip.country in {"US"} and http.user_agent ne "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36")
or (http.request.uri.path contains "/wp-admin" and not ip.geoip.country in {"US"} and http.user_agent ne "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36")
or (http.request.uri.path contains "/xmlrpc.php")
  1. Set Action: Block

 Then, if you want to take your protection to the next level, consider using Cloudflare Zero Trust Access. This means that potential users get a much stricter form of verification before they get access to any sensitive data.

That analysis that Cloudflare conducts is done through tests that occur in real-time, so the barrier is constantly secured and your WordPress site is protected.

Now, let’s talk about bots.

Blocking Bad Bots

Not every malicious attack is coming for your sensitive data, that attack could be trying to attack your servers. Techniques like credential stuffing, takeovers of entire accounts, or just plain spam attacks could overload your service and tank your WordPress site’s performance.

That’s why there’s a rule so Cloudflare can also block those bad bots:

  1. Add this WAF rule to block known bad bots
(http.user_agent contains "Xenu") or (http.user_agent contains "MJ12bot") or (http.user_agent contains "Alexibot") or (http.user_agent contains "SurveyBot") or (http.user_agent contains "rogerbot")
  1. Set Action: Block

If you want to manually monitor new bot activity, here’s how:

  1. Go to Analytics and Logs on the Cloudflare dashboard
  2. Find the Logs page
  3. Search for BotDetection IDs which then shows a score that analyzes whether a request was made by a bot versus an actual user

For the scrapers and crawlers you also want to address, here are a few steps you should take.

Block AI Scrapers and Crawlers

Not every scraper or crawler is malicious, but some are trying to extract your content instead of analyzing it. Not only could that be violating IP and copyright laws, but it could also lead to problems with your WordPress site’s performance.

Here’s how you can address it:

  1. Add this WAF rule to block AI crawlers
(cf.verified_bot_category eq "AI Crawler")
  1. Set Action: Block

Not all crawlers and scrapers are bad, though. Google uses AI crawlers to populate SERPS (Search Engine Results Pages). This means the stricter the block, the less likely your website is to be on Google’s search results or other valuable aggregators.

Google uses search engine indexing to store content in a database to help with search results, so you may want to reconsider blocking crawlers if you see a negative effect.

Contact forms are also susceptible to attacks, but luckily, there’s a rule for that too.

Stopping Contact Form Spam

The truth is that contact forms are extremely vulnerable to spam bots. When there aren’t enough security checks in place, bots can easily scan a website and submit spam.

That’s why you’ve seen so many websites using image captchas or various honeypots to analyze requests. Meaning you have to go through more steps to prove that you’re, in fact, a human.

That doesn’t always work though, which is why this Cloudflare rule can come in handy:

  1. Add this WAF rule to block spam bots
(http.request.uri.path contains "/contact" and cf.threat_score gt 10)
  1. Set Action: Block or Challenge

Unfortunately, setting up the rule could lead to issues like false positives. That’s why it’s always important to monitor traffic to make sure everything is flowing smoothly and to test these rules whenever there’s an issue.

Blocking Spam from High-Risk Countries

A lot of form spam originates from specific countries where bot activity is common. If your website primarily serves customers in a specific region, you can block or challenge traffic from countries that frequently generate spam.

To block form submissions from certain countries, add this WAF rule:

(http.request.uri.path contains "/contact" and ip.geoip.country in {"CN" "RU" "IN" "BR" "NG"})

Set Action: Block or Challenge

If you still want legitimate visitors from these regions but need extra security, setting the action to "Managed Challenge" instead of "Block" can help filter out bots while allowing real users to pass verification.

Pro Tip: Keep an eye on Cloudflare’s analytics to identify where most of your spam is coming from. If a new country starts sending spam, you can easily update your rule to include it.

Additional Cloudflare Security Settings

These rules are effective, but they can be strict. Make sure that implementing them doesn’t impact the user experience of your WordPress website. That being said, there’s also a number of ways you can continue to bolster your security with Cloudflare.

Here are a few more tips you can use to secure your WordPress site with Cloudflare:

  • Add Bot Flight Mode, which is a free Cloudflare tool designed to block bot traffic on your website
  • Rate Limiting Tools can prevent the kind of brute-force attack designed to access sensitive data
  • Cloudflare is already an effective barrier, but enabling Firewall Rules gives you more granular control to give you more in-depth control over who can access your system

But most importantly, continue to monitor logs and adjust rules whenever necessary. If they’re too strict, you could impact UX. But without these Cloudflare rules, your WordPress website could be the next in line for a massive attack or security issue.