Hardening WordPress Security with the Cloudflare Firewall

With many thousands of WordPress security vulnerabilities known surrounding the WordPress core, plugins and themes; it is vital you add additional layers of security to protect your WordPress site against hackers. Whether selling through the Woocommerce e-commerce platform or using your WordPress to manage your company site, Cloudflare can help protect you.

After completing the initial set-up of your WordPress site on Cloudflare, following these instructions will dramatically improve the security of your WordPress site.

Using the Web Application Firewall to Block Dynamic Application Layer Attacks:

No matter how well patched or updated your WordPress site is, there can always be new vulnerabilities around the corner. Cloudflare's Web Application Firewall can help you filter malicious HTTP and HTTPS requests to block common threats such as SQL Injection, XSS Attacks and Remote Code Execution Exploits. As Cloudflare's network handles significant traffic, we are able to identify new attack patterns and create new WAF rules accordingly - protecting all WAF customers from potential vulnerabilities.

To set the Cloudflare Web Application Firewall to On, login to your Cloudflare dashboard and click on Managed Rules tab of the Firewall app.  Next we will customise the WAF such that it is optimised for WordPress, scroll down to the Cloudflare Managed Ruleset section and set Cloudflare WordPress to On.

We can now go ahead and enable the rules which are likely to help you when using WordPress, here I've toggled for PHP and WordPress, I've also enabled our "Cloudflare Specials" which allows us to deal with some specific attack types. Feel free to adjust which rules you enable based on your requirements.

Additionally, we can scroll down to the Package: OWASP ModSecurity core Rule Set and we can adjust the WAF Sensitivity and Action to add additional attack detection rules to our website. 

Preventing Comment Spam:

The Security Level option in the Firewall Page allows you to choose which visitors you want to challenge, by increasing this you are able to challenge more visitors who exhibit threatening behaviour:

Under DDOS Attack?

If you are under DDOS Attack, enabling I'm Under Attack Mode will start challenging users to your website. Please review our "I am under DDoS attack, what do I do?" page for more information.

Brute Force Attack Prevention

Bruteforce attacks work by attempting to sequentially guess the passwords you use on WordPress using bots. By using Cloudflare's collective intelligence and additionally by enabling the WAF (as described above) Cloudflare is able to counter the majority of brute force attacks. There are bruteforce protection rules in both the Cloudflare WordPress and Cloudflare Specials rulesets.

If you find, however, that this isn't adequate - we now offer a Rate Limiting service. You can sign-up for the beta on the Cloudflare Rate Limiting page. From there you'll be able to limit the requests per IP to your wp-login.php page.

As an additional layer to bruteforce protection, you can utilise Two-Factor Authentication with WordPress which can help protect your account even if your password is disclosed.

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk