Within the WordPress community, I find a lot of folks use a variety of security plugins and methods to secure their websites against denial of service attacks and brute force connections.
Recently I’ve begun reading a number of comments in the Facebook forums and personal blogs regarding how poorly Cloudflare performs against automated website attacks.
I find this strange because Cloudflare has always promoted the benefits of its distributed content delivery network (CDN) to help reduce the impacts of extreme events, like mass IP connections, and it has protocols in place to help reduce Layer 7 DOS and brute-force attacks as well.
That said, it’s become apparent to me that many are simply not taking the next step in using Cloudflare to better protect websites against denial of service attacks (video), and implementing them appropriate to their needs.
I use the free Cloudflare service to help protect my website and I use my web host’s free SSL certificate to better secure my login page and forms. Using the free Cloudflare and SSL certificate services seems like a no brainer to me.
So what about blocking the bad guys and bad bots you ask?
If you have Cloudflare set up already, then you are half way there. An apparently little-known feature of Cloudflare, called “Rate Limiting” allows you to create rules to block specific types and rates of traffic connecting to your website. Best of all, the Rate Limiting service is free (for the first 10,000 requests).
Check this article, Cloudflare Rate Limiting – Insight, Control, and Mitigation against Layer 7 DDoS Attacks, on the Cloudflare website for more details.
To get to the Rate Limiting feature, after logging into your Cloudflare account, click the Firewall button (shown below):
Ok, so before you say, “But it is not really free, so I’m not interested!”
If your website is not heavy trafficked, I suggest you try the rate limiting feature out; unless 5 cents for 10,000 requests after the first free 10,000 requests are going to break your coffee budget for the month.
The skinny from the Billing for Cloudflare Rate Limiting web page: “Rate Limiting is billed based on the number of good (not blocked) requests that match your defined rules across your website. Each request is only counted once so you will not be double charged if a request matches multiple rules.”
This page on the Cloudflare website, Rate Limiting: Live Demo, provides a taste of what rules can be set, including a nice test page where you can see what happens when you visit/refresh a web page 10 times; a rate limit rule you might set for a login page: https://www.cloudflare.com/rate-limit-test
If you have experienced an increase in login attempts or attacks on your website I definitely recommend trying out the Cloudflare Rate Limiting option to help control and block suspicious connections to your website.
But that’s not all… Cloudflare has another better known card up their sleeve as well, called “Page Rules”.
Page Rules were first promoted by Cloudflare back in 2012. As the name describes, Page Rules allow one to control how CloudFlare works on your site on a page-by-page basis. This page at Cloudflare gets into the nitty gritty tutorial wise, “Is there a tutorial for Page Rules?“.
If you are a WordPress user but don’t have a lot of time to geek out on the subject, I recommend taking advantage of a few simple rules to get you started. These particular rules focus on protecting your site against denial of service attacks.
Our goal here is to block your login page URLs and the most commonly attacked XMLRPC related URL.
Set your three page rules below, replacing the letters yourdomain.com with your domain name:
- URL Matches:
*yourdomain.com/wp-login.php* - URL Matches:
*yourdomain.com/wp-admin* - URL Matches:
*yourclientsdomain.com/xmlrpc.php*
Click the “Add a Setting” link to complete setup of each URL above, then the “Save and Deploy” button.
That’s it!
I hope you’ve enjoyed this article and found it helpful. If you have any questions please feel free to call me anytime. I’m here to help.
About this article: I have no relation to Cloudflare and no content on this page is a paid for promotion.