Cloudflare WAF Rules

A list of Cloudflare Web Application Firewall rules added to Security > WAF > Custom rules

Allow Good Bots

Skip

The "Allow Good Bots" rule grants full, unrestricted access to bots that you approve of, including those you manually add and those classified as safe by Cloudflare.

Expression
(cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher"}) or (http.user_agent contains "letsencrypt" and http.request.uri.path contains "acme-challenge") or (http.user_agent contains "WPAI Scheduler") or (http.request.uri.path contains "favicon") or (http.request.uri.path contains "FavIcon") or (ip.src in $patchstack) or (http.user_agent contains "Better Uptime Bot") or (http.user_agent contains "quic.cloud") or (http.user_agent contains "QUIC")

Aggressive Crawlers

Managed Challenge

The "Aggressive Crawlers" rule is designed to block overly persistent bots. While it effectively prevents many fake bots, it can also block aggressive SEO crawler bots.

Expression
(http.user_agent contains "yandex") or (http.user_agent contains "sogou") or (http.user_agent contains "semrush") or (http.user_agent contains "ahrefs") or (http.user_agent contains "baidu") or (http.user_agent contains "python-requests") or (http.user_agent contains "neevabot") or (http.user_agent contains "CF-UC") or (http.user_agent contains "sitelock") or (http.user_agent contains "crawl" and not cf.client.bot) or (http.user_agent contains "bot" and not cf.client.bot) or (http.user_agent contains "Bot" and not cf.client.bot) or (http.user_agent contains "Crawl" and not cf.client.bot) or (http.user_agent contains "spider" and not cf.client.bot) or (http.user_agent contains "mj12bot") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "mojeek") or (ip.src.asnum in {135061 23724 4808} and http.user_agent contains "siteaudit")

Challenge Large Providers / Country

Managed Challenge

This rule addresses two key issues. It manages challenge connections from VPS servers hosted on Google Cloud, Amazon EC2, and Azure, as well as visitors from outside your country of origin. Hackers and spammers often use VPS servers from Google, Amazon, and Azure to launch rapid attacks on sites or waste resources by scanning them. These servers can be active for a day or longer, consuming resources and posing a threat to your site.

Expression
(ip.src.asnum in {7224 16509 14618 8075 396982} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"} and not http.request.uri.path contains "FavIcon" and not http.request.uri.path contains "favicon") or (not ip.src.country in {"US"} and not cf.client.bot and not cf.verified_bot_category in {"Search Engine Crawler" "Search Engine Optimization" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "Aggregator"} and not http.request.uri.path contains "acme-challenge" and not http.request.uri.query contains " ?fbclid" and not ip.src.asnum in {32934})

Challenge Path / VPN

Managed Challenge

This rule tackles two primary concerns: it manages challenge connections from VPN providers and monitors access to specific paths (wp-login.php and xmlrpc.php).

Expression
(ip.src.asnum in {60068 9009 16247 51332 212238 131199 22298 29761 62639 206150 210277 46562 8100 3214 206092 206074 206164 213074}) or (http.request.uri.path contains "wp-login")

Block Web Host / Paths / TOR

Block

This rule includes a list of web hosts compiled over the years. While it doesn’t cover every host, it does encompass many of the major ones. Additionally, this rule blocks access to paths such as xmlrpc.php, wp-config.php, and wlwmanifest. It also includes AI Crawler and other bots from the Cloudflare Verified Bot list.

Expression
(ip.src.asnum in {200373 198571 26496 31815 18450 398101 50673 7393 14061 205544 199610 21501 16125 51540 264649 39020 30083 35540 55293 36943 32244 6724 63949 7203 201924 30633 208046 36352 25264 32475 23033 32475 212047 32475 31898 210920 211252 16276 23470 136907 12876 210558 132203 61317 212238 37963 13238 2639 20473 63018 395954 19437 207990 27411 53667 27176 396507 206575 20454 51167 60781 62240 398493 206092 63023 213230 26347 20738 45102 24940 57523 8100 8560 6939 14178 46606 197540 397630 9009 11878}) or (http.request.uri.path contains "xmlrpc") or (http.request.uri.path contains "wp-config") or (http.request.uri.path contains "wlwmanifest") or (cf.verified_bot_category in {"AI Crawler" "Other"}) or (ip.src.country in {"T1"})

Important: Whitelist Your Server IP

Since these WAF rules block various types of traffic, you must whitelist your web server's IP address in Cloudflare to ensure your cron jobs, server-to-server communications, and automated processes continue working properly.

To whitelist your server IP:

  1. Go to Security > WAF > Tools in your Cloudflare dashboard
  2. Add your server's IP address to the IP, IP range, country name, or ASN
  3. Set the action to Allow
  4. Select "All websites in account" if hosting multiple sites
  5. Add a note like "Web Server IP" to remember what this rule is for