WordPress Bot Protection with Cloudflare: My Exact WAF Rules (Copy/Paste)

This resource is about implementation.

In the public article, I explained why bot protection matters and why Cloudflare is the most effective place to stop it. Here, we’re skipping theory and going straight to execution.

Below, you’ll find the exact Cloudflare WAF security rules I use on my own sites and on client sites, designed to work within the limits of a free Cloudflare account. These rules are intended to be copied, pasted, and enabled as-is, with only minimal adjustments if your site has unique requirements.

Alongside this page is a companion video. In that video, I walk through:

• Where these rules live inside a standard Cloudflare account
• The correct order to create them
• Which rules are skip, challenge, or block
• How to safely test and deploy them
• What to tweak if something legitimate gets caught

If you follow the steps shown, you’ll end up with a layered Cloudflare WAF setup that blocks the majority of automated WordPress bot traffic before it ever reaches your server.

I will also point the way to some common exclusions and modifications you may need to make to these rules.

 

Oops! You don’t have permission to view this resource!