Free Cloudflare WAF Rule – Basic Website Protection (But Read This First)

Free Cloudflare WAF Rule: Basic Website Protection

🚨 Read This Before You Copy-Paste 🚨

This rule is extremely basic. If you apply it blindly, you will almost certainly break something on your site. You could lose traffic, kill your SEO, or lock out real users. Use at your own risk.

This is a free, entry-level Cloudflare Firewall Rule that blocks a bunch of dumb attacks and bots. It is absolutely not a silver bullet. If you run a WordPress site and do not care about traffic, this might be a good starting point. If you rely on Google, social sharing, or any third-party integrations, this will probably break things in ways you do not notice until your ranking tanks. You have been warned.

What Does It Do?

Blocks obvious probe requests (think: .env, .git, phpmyadmin, wp-config, adminer, shell)
Blocks traffic from the most basic script kiddie tools (curl, wget, python, java, node-fetch)
Blocks or challenges some big VPN and cloud networks (AWS, Google, DigitalOcean, Cloudflare)
Blocks brute-force attempts on WordPress login from outside your own domain
Allows static assets (css, js, images, etc) through

The Rule (Copy-Paste for Cloudflare Firewall)

(
  lower(http.request.uri.path) contains ".env"
  or lower(http.request.uri.path) contains ".git"
  or lower(http.request.uri.path) contains "phpmyadmin"
  or lower(http.request.uri.path) contains "wp-config"
  or lower(http.request.uri.path) contains "adminer"
  or lower(http.request.uri.path) contains "shell"
  or lower(http.user_agent) contains "curl"
  or lower(http.user_agent) contains "wget"
  or lower(http.user_agent) contains "python"
  or lower(http.user_agent) contains "java"
  or lower(http.user_agent) contains "node-fetch"
  or ip.geoip.asnum in {16509 14618 20473 13335}
  or lower(http.user_agent) contains "vpn"
  or lower(http.user_agent) contains "proxy"
  or (
    lower(http.request.uri.path) contains "/wp-login"
    and not http.referer contains "yourdomain.co.uk"
  )
)
and not (
  ends_with(lower(http.request.uri.path), ".css")
  or ends_with(lower(http.request.uri.path), ".js")
  or ends_with(lower(http.request.uri.path), ".png")
  or ends_with(lower(http.request.uri.path), ".jpg")
  or ends_with(lower(http.request.uri.path), ".jpeg")
  or ends_with(lower(http.request.uri.path), ".gif")
  or ends_with(lower(http.request.uri.path), ".svg")
  or ends_with(lower(http.request.uri.path), ".ico")
)
(BLOCK)

You can copy and paste this logic into a Cloudflare Firewall Rule and set the action to Block.

Why Should I Be Cautious?

This does not distinguish between good bots (like Google, Facebook, LinkedIn, etc) and bad bots. If you rely on SEO or rich previews, expect things to break.
Third-party services, payment providers, or CDNs might get blocked or challenged.
If you run a membership site or allow logins, you can accidentally lock out your own users (especially if they use a VPN or business internet).
There is no logging or bypass for search engines here. This is just a sledgehammer.
You are responsible for all breakage. Test on a staging site before you even think of applying to production.

What a Real Security Setup Looks Like

Knows Googlebot from a criminal with a Python script
Lets your team in, blocks the noise
Tracks and fingerprints actual attackers, not just their IP
Sends live alerts to your phone or Discord when real threats show up
Custom-tuned for your stack and your users – not just a copy-paste rule

This freebie is a plastic sword. The real kit is forged steel. If you want your website locked down like Fort Knox but still working for real customers and search engines, email me.

The Reasonable Adjustment
Security by design, not just by accident.
Contact for consultancy and custom security setups