Tutorial on Using CloudFlare Security Rules to Block Illegal WordPress Requests

I believeusers who build websites using WordPress, especially those whoBuy VPSand theninstall Baota Panelto set up WordPress, have definitely encountered situations where CPU usage accidentally reaches 100%, causing the entire server to become sluggish and the website to be inaccessible. If you analyze the website logs at this time, you may find a large number of suspicious access records. For example, as shown in the image below:

From the log in the image above, we can see that the user (bot) with IP 172.70.222.233 initiated many requests for non-existent PHP files on the website at 00:31.

Launching so many requests at the same time is something that the performance of a VPS purchased by ordinary users like us cannot withstand, so the CPU will instantly spike to 100%, and the website becomes inaccessible.

What is the harm of this scanning behavior?

1. Consumes server resources: Each request consumes the server's CPU and I/O resources. Massive scanning requests unnecessarily consume bandwidth and computing power that should be used to serve real users, potentially causing the website to respond slowly or even crash.
2. Probes for vulnerabilities: Attackers attempt to access common script file paths to probe whether your website has known security vulnerabilities. Once an exploitable file is found, they will launch further attacks.
3. Generates junk logs: A large number of 404 error logs can overwhelm normal access records, making log analysis and troubleshooting difficult.

How to block it? Solution approach

To solve this problem, if you happen to use Cloudflare's CDN service, we can efficiently block these illegal requests through CloudFlare's custom security rules, protecting server resources and improving website security and access speed.

Cloudflare„s “Custom Rules„ feature allows us to set complex conditions to determine whether a request is malicious. When a request triggers a rule, Cloudflare directly returns a block page, and the request never reaches your server, fundamentally solving the resource consumption issue.

As shown in the image below:

Practical Tutorial: Creating Custom Security Rules

Next, let„s create this “firewall„ rule step by step.

Step 1: Go to the Custom Rules settings page

1. Log in to your Cloudflare dashboard and select the website you want to protect.
2. In the left navigation bar, go toSecurity> Security Rules。
3. In the top tabs, selectCustom Rules。
4. ClickCreate Rule> Custom Rules, enter the rule editing interface.

Step 2: Configure rule conditions and actions

Now you will see an interface similar to the screenshot below (the screenshot shows a rule that has already been added):

Rule Name: Fill in a clear and understandable name, such as „Block Access to Non-existent PHP Files“.

Rule Configuration: This is the core of our rule. You can manually enter it as shown in the screenshot, or directly click „Edit Expression“ and then copy and paste the following command into the edit box.

(http.request.uri.path contains ".php" and not http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-includes/" and not http.request.uri.path contains "/wp-content/" and not http.request.uri.path contains "/index.php" and not http.request.uri.path contains "/wp-login.php" and not http.request.uri.path contains "/wp-cron.php" and not http.request.uri.path contains "/xmlrpc.php")

The meaning of this rule is:

• http.request.uri.path contains ".php": Matches all requests whose request path contains.php.
• not http.request.uri.path contains "/wp-admin/"etc.: Excludes the legitimate PHP files and directory pathsessentialfor the normal operation of WordPress. This is a crucial step to ensure normal access is not mistakenly blocked.
  • /wp-admin/: WordPress Admin Dashboard directory.
  • /wp-includes/: WordPress core function library directory.
  • /wp-content/: Theme, Plugin, and upload file directories.
  • /index.php， /wp-login.php， /wp-cron.php， /xmlrpc.php: WordPress core files.

Simply put, this rule means: „Block all requests to access PHP files, except for legitimate PHP files required by the WordPress system itself.“

Then take action... select „Block", and finally click the Deploy button.

Effect Verification

After configuring the security rules, you can open your website in a browser, click through several pages to ensure all pages load correctly.

Then try to access a non-existent PHP page on your website (add any random letters/numbers after the URL ending with .php), and you should see Cloudflare's blocking page.

Summary:

After deploying this, it reduces server load. Abnormal PHP requests will not be passed to the server. Even if hundreds or thousands of IPs are scanning for non-existent PHP files on your server daily, it won't cause the server to crash. The key point is that this operation is free, requiring no extra cost—cheap and effective. Another win for you.