How to Configure Cloudflare Free for WordPress & WooCommerce
Cloudflare’s “Free Account” Limitations
In my opinion, Cloudflare’s 2025/2026 widespread changes to the interface and functions have greatly eased the previous limitations of the “free” account.
Previously, the limit of 3 Page Rules made it difficult to include/exclude pages and directories accurately. The new Cache Rules section allows for 10 rules, which, in my experience this year, have been ample.
I found the WAF area was awkward to work in before. But the new Security Rules page allows for 5 rules plus rate limiting to be applied.
In building rules, I have encountered some issues with the SQL, where some expressions are only allowed on the paid plans. That’s not usually a game-breaker, as a workaround can usually be found.
For a standard WordPress site without an e-commerce burden, my objective is the “Zero-Load Stack” where Asset CleanUp trims the code bloat, WP Rocket prepares the pages, and Super Page Cache pushes the content to the Cloudflare Edge. There are 3 parts to this:
- Security Rules: building effective rules that can be easily monitored and analysed.
- Site Resilience through Cache Rules: building rules that drive Percentage Cached upwards, underpinned by efficient backend caching (Redis, WP Rocket, Super Page Cache) and Smart Tiered Cache.
- Generative AI Analysis: downloading the security log files and using Gemini AI to analyse those for evolving threat vectors AND friendly fire…
How to Set Up Cloudflare Security Rules for WordPress
- Log in to Cloudflare and select your domain.
- Navigate to Security | Security Rules.
- Add Rule #1: Admin Team Access for Backups etc — Action: Skip
- Add Rule #2: Priority Bypass (NZ/AU/ users) — Action: Skip
- Add Rule #3: Master Post & Directory — Action: Block
- Add Rule #4: Universal Post Bomb – Action: Block
- Add Rule #5: Managed Challenge for Non-Priority Countries – Action: Managed Challenge
- Add Rule #6: Rate Limiting – Action: Block
- Deploy Cache Rules: Use ‘Super Page Cache’ to push your WordPress HTML to the Cloudflare Edge.
- Reverse-engineer botnet attacks by using Gemini AI to analyse security rule event logs.
The instructions for each Rule are provided in individual sections further down the page.
What are the best Cloudflare security rules for WordPress?
The best Cloudflare security setup for WordPress involves a 5-rule strategy:
1. Prevent “friendly fire” incidents by bypassing (SKIP) all rules for your own IP address and your server IP. Enabling WP and Woo processes to operate unimpeded.
2. Adding a Priority Bypass for preferred countries to Skip some rules.
3. A BLOCK for all malicious access to targeted internal directory paths.
4. Implementing a BLOCK defence against the various Post “Bomb” and “Slow Burn” attacks designed to cripple server performance.
5. Implementing a “Managed Challenge” for non-priority countries.
How to optimise Cloudflare Cache Rules for WooCommerce?
The Cloudflare free plan provides 10 Cache Rules: more than enough to bypass caching for /cart/, /checkout/, and /my-account/ pages while still enabling “Cache Everything” for static content such as images, PDFs, CSS and JavaScript files.
By using either the US$5 per month Cloudflare APO or the Super Page Cache plugin, we ensure dynamic sessions remain functional without “poisoning” the shopping cart or breaking Add to Cart functionality.
The 5 Essential Security Rules:
When creating a set of security rules, you need to be aware of the likelihood of “friendly fire” that gets you locked out too! There’s no excuse for shooting yourself in the foot, so the first rule should be designed to prevent that from occurring. Breaking the functionality of your WordPress installation isn’t helpful either, and we need to protect administrative functions like backups, caching and updates, and ensure Ajax functions continue to work on internal menus and plugin installations etc.
Building an Admin Whitelist is an important first step, using the Lists Tab on the Manage Account | Configurations page at the bottom of the main left menu.
- This is the best place to add protected IP Addresses, especially on a busy site with multiple Administrators.
- Once it’s done, it can be instantly used in multiple locations.
Preventing Ajax Issues:
To improve load speed, WordPress does some magic with JavaScript concatenation. If you have issues with left column menus not popping out or “search” not working when you’re trying to add a new plugin, this change below usually fixes that. Doing it BEFORE you start makes more sense…
/* stops issues in WP Admin */
Add this line to wp-config.php
define('CONCATENATE_SCRIPTS', false);Remember that the rules are processed from top to bottom in the list in Cloudflare.
Note: Our Rule #3 (Master Directory & Cart Shield) is a “Compound Rule” that combines multiple paths into a single rule to ensure we have sufficient rule slots. Often, the advice is to create lots of itty-bitty rules that quickly burn up all 5 slots. That’s ok on a “Pro” plan where there are lots of rule slots available…
The rules below assume that the site provides services to both New Zealand and Australian clients.
For each Rule, I have provided the “Expression” that can be added to the rule. You will need to:
- Replace “mydomain.co.nz” with your actual domain name, using the generative AI Prompts sheet at the end of the page..
- Find the ASN numbers for your Internet service provider/s and add those in the correct section in each rule. Example: AS4771 is the main ASN used for Spark internet service provider’s traffic.
“These rules were developed during the 2026 DDoS attacks we mitigated. For the full story on why these rules are necessary, read the case study on the link above.”
WARNING: Rule #1 and #2 must always be at the top of the list of rules! New users often get this wrong and lock themselves out.
Rule #1: Admin Team Access for Backups, Caching etc.
Here, the goal is to prevent any security rules impacting these functions by “skipping” all rules below this one.
When incoming requests match…
((http.request.uri.path contains "admin-ajax.php" or http.request.uri.path contains "/wp-admin/" or http.request.uri.path contains "/wp-json/" or http.request.uri.path eq "/wp-cron.php") and (ip.src in $admin_whitelist or ip.src.asnum in {approved ASN numbers} or http.user_agent contains "WP-Rocket"))SKIP
Log matching Requests
Rule #2: The Priority Bypass (Allow Rule)
Here, the goal is to protect any essential functions that did not get a free pass in Rule #1; they now “skip” all rules below this one.
When incoming requests match…
(http.host eq "yourdomain.co.nz" and (ip.src.country in {"NZ" "AU"} or cf.client.bot or ip.src in $admin_whitelist or ip.src.asnum in {approved ASN numbers})) and (http.request.uri.path in {"/wp-login.php" "/xmlrpc.php"} or http.request.uri.path contains "admin-ajax.php")SKIP
Log matching Requests
Rule #3: Master Directory & Cart Shield
This is the area where the majority of malicious DDoS activity occurs, via attacks on specific directories and vulnerable paths. Instant BLOCK stops these in their tracks before they degrade server performance.
When incoming requests match…
(not cf.client.bot and not ip.src in $admin_whitelist and not ip.src.asnum in {approved ASN numbers}) and ((http.host eq "yourdomain.co.nz" and not ip.src.country in {"NZ" "AU"}) or (ip.src.asnum in {13335 14061 8075 31898 51396 396982 40021 209605 201814 141995 213230 39642 394089 212238 60068 213438 215607 48090 51167 45090 33182 12876 9541 20473})) and (http.request.uri.path contains "/wp-login.php" or http.request.uri.path contains "/xmlrpc.php" or http.request.uri.path contains "/alfacgiapi/" or http.request.uri.path contains "/ALFA_DATA/" or http.request.uri.path contains "/packages/" or http.request.uri.path contains "ckupload.php" or http.request.uri.path contains "ckeditor/upload.php" or http.request.uri.path contains ".sql" or http.request.uri.path contains ".env" or http.user_agent contains "curl" or http.request.uri.path contains "/cpanel" or http.request.uri.path contains "/whm" or http.request.uri.path contains "/webmail" or http.host contains "cpanel." or http.host contains "whm." or http.host contains "webmail." or http.request.uri.query contains "rest_route=" or http.request.uri.path contains "/.git/" or http.request.uri.path contains ".json")BLOCK
Rule #4: Universal Post Bomb
This is the other place where malicious botnet activity occurs, via POST bomb and Slow Burn attacks on vulnerable end points. DDos mitigation and prevention starts here. Again, an instant BLOCK stops these in their tracks before they degrade server performance.
When incoming requests match…
(http.request.method eq "POST") and not (cf.client.bot or ip.src in $admin_whitelist or ip.src.asnum in {approved ASN numbers}) and ((ip.src.asnum in {210558 26548 202412 45102 47583 39351 16276 16509 24940 31898 51396 14061 13335 396982 40021 8075 209605 201814 141995 213230 39642 394089 212238 60068 213438 396356 21859 211590 216071}) or (http.request.uri.path in {"/wp-comments-post.php" "/xmlrpc.php" "/wp-login.php"}) or (not http.referer contains "yourdomain.co.nz" and not http.user_agent contains "WordPress") or (len(http.user_agent) < 45) or (cf.edge.server_port in {2082 2083 2086 2087 2095 2096}))BLOCK
Rule #5: Managed Challenge (The Low-Friction Filter)
If a visitor isn’t from a “preferred” country but they don’t appear to pose a threat, they can visit the site IF they pass the Managed Challenge.
When incoming requests match…
(not ip.src.country in {"NZ" "AU"}) and not (cf.client.bot or ip.src in $admin_whitelist or ip.src.asnum in {approved ASN numbers})Managed Challenge
Rule #6: Global Rate Limit – 100/min
When incoming requests match…
(http.host eq "yourdomain.co.nz") and (http.request.uri.path in {"/wp-login.php" "/xmlrpc.php"})BLOCK
AI Rules Validation and Deployment
Because every website has variations in hosting, plugin and theme versions, configuration, and structure, a “one size fits all” approach to Security Rules is difficult to do both in practice and effectiveness. The botnets that might have a crack at your website are likely to be a different mix from mine. Our ISP is probably different. At the same time, there are some “common denominators” in terms of likely targets by most attackers: xmlrpc.php, wp-login.php, and the like.
If you take my rules above, you can use Gemini AI to assess your structure, determine your ISP’s ASN numbers, take your software into account, and revise the initial rules. Then you can create the Rules and load the revised expressions, using the illustrations above to ensure you have the correct options selected for SKIP, BLOCK and Managed Challenge.
Step One: Create the Rules in your Cloudflare Account
Once you have created your free Cloudflare account and have your domain operating on Cloudflare.
- Create each rule and configure it exactly as described and shown in the illustrations above above BUT use the “Save as a Draft” option and don’t Deploy it yet.
- Make sure your new rules are in the correct order or sequence.
How to use Generative AI to Validate your 5 new Security Rules?
To help you with that, I’m going to share my Gemini AI prompt below.
- Copy the text file below into Notepad.
- Fill in the Missing elements (IP Address, ISP, Server IP Address etc)
- Open Gemini AI
- Paste in the Prompt list in the normal window – you don’t need to choose “Deep Research”.
TO: Gemini
Your Role: You are a Cloudflare cybersecurity consultant with experience in WordPress security.
From: [your name]
My Role:
Subject: Security Rules for: [yourdomainname.co.nz]
Constants:
1. Server IP Address: [IP address]
2. Owner IP Address: [IP address]
3. Owner ISP Name: [IP address]
4. Cloudflare: [FREE plan]
5. Technical Support: ISP ASN for your have a website maintenance provider
6. Business Head Office: [NZ]
7. Customers In: [NZ]
8. Website: www.yourdomainname.co.nz
9. Platform: WordPress
10. Woocommerce: [NO]
11. Caching: [WP Rocket Cache, Super Page Cache, Asset Cleanup to deactivate XML RPC] (Delete N/A)
12. Cloudflare Security Rules: [To be Applied/already applied] (delete N/A)
- Rule #1 Admin Team Access: ensure passage for WP Rocket Caching, Updraftplus Backups, ManageWP, Wordfence etc.
- Rule #2 The Priority Bypass (Allow Rule)
- Rule #3 Master Directory & Cart Shield
- Rule #4 Universal Post Bomb
- Rule #5 Managed Challenge (The Low-Friction Filter)
- Security installed: [Wordfence Security, Sucuri, BBQ, Loginizer] (delete N/A)
13. Cloudflare Cache Rules: [To be Applied/already applied] (delete N/A)
14. Backups: [Updraftplus]
---------------------------------------------------------
Known Issues: do you have problems or issues to report? Like cron not working, cackups or scans failing?
------------------------------------
Instructions:
Step 1: Whitelist:
From the constants above for server IP, Owner IP, check the list of IP Addresses and find their ASN numbers.
Then replace the text string "approved ASN numbers" in the initial rules with the correct ASN numbers.
Step 2: Security Rules
1. Please review the 5 Security Rules below.
2. For each rule, ensure the server IP, $admin_whitelist and {approved ASN numbers} are implemented where appropriate..
3. For each rule, ensure the correct domain name is used.
4. Look for and repair any syntax errors.
5. http.request.uri.path: Don't DROP any "http.request.uri.path" listed. These are under attack on multiple NZ websites.
6. http.user_agent: Don't DROP any "http.user_agent" listed. I know this application needs protection to function.
7. Where revision is needed, provide the FULL updated expression for the Rule.
---------------------------------------
Rule #1 Admin Team Access for Backups, Caching etc
When incoming requests match…
<code>
((http.request.uri.path contains "admin-ajax.php" or http.request.uri.path contains "/wp-admin/" or http.request.uri.path contains "/wp-json/" or http.request.uri.path eq "/wp-cron.php") and (ip.src in $admin_whitelist or ip.src.asnum in {approved ASN numbers} or http.user_agent contains "WP-Rocket"))
</code>
SKIP
Log matching Requests
------------------------------------------------
Rule #2 The Priority Bypass (Allow Rule)
When incoming requests match…
<code
(http.host eq "yourdomain.co.nz" and (ip.src.country in {"NZ" "AU"} or cf.client.bot or ip.src in $admin_whitelist or ip.src.asnum in {approved ASN numbers})) and (http.request.uri.path in {"/wp-login.php" "/xmlrpc.php"} or http.request.uri.path contains "admin-ajax.php")
</code
SKIP
Log matching requests
WAF components to skip
- All remaining custom rules
- All rate limiting rules
- All managed rules
- All Super Bot Fight Mode Rules
More components to skip
- Zone Lockdown
- User Agent Blocking
- Browser Integrity Check
- Hotlink Protection
- Security Level
- Rate limiting rules (Previous version)
- Managed rules (Previous version)
------------------------------------------------
Rule #3 Master Directory & Cart Shield
When incoming requests match…
<code
(not cf.client.bot and not ip.src in $admin_whitelist and not ip.src.asnum in {approved ASN numbers}) and ((http.host eq "yourdomain.co.nz" and not ip.src.country in {"NZ" "AU"}) or (ip.src.asnum in {13335 14061 8075 31898 51396 396982 40021 209605 201814 141995 213230 39642 394089 212238 60068 213438 215607 48090 51167 45090 33182 12876 9541 20473})) and (http.request.uri.path contains "/wp-login.php" or http.request.uri.path contains "/xmlrpc.php" or http.request.uri.path contains "/alfacgiapi/" or http.request.uri.path contains "/ALFA_DATA/" or http.request.uri.path contains "/packages/" or http.request.uri.path contains "ckupload.php" or http.request.uri.path contains "ckeditor/upload.php" or http.request.uri.path contains ".sql" or http.request.uri.path contains ".env" or http.user_agent contains "curl" or http.request.uri.path contains "/cpanel" or http.request.uri.path contains "/whm" or http.request.uri.path contains "/webmail" or http.host contains "cpanel." or http.host contains "whm." or http.host contains "webmail." or http.request.uri.query contains "rest_route=" or http.request.uri.path contains "/.git/" or http.request.uri.path contains ".json")
</code
Then take action…
BLOCK
------------------------------------------------
Rule #4 Universal Post Bomb
When incoming requests match…
(http.request.method eq "POST") and not (cf.client.bot or ip.src in $admin_whitelist or ip.src.asnum in {approved ASN numbers}) and ((ip.src.asnum in {210558 26548 202412 45102 47583 39351 16276 16509 24940 31898 51396 14061 13335 396982 40021 8075 209605 201814 141995 213230 39642 394089 212238 60068 213438 396356 21859 211590 216071}) or (http.request.uri.path in {"/wp-comments-post.php" "/xmlrpc.php" "/wp-login.php"}) or (not http.referer contains "yourdomain.co.nz" and not http.user_agent contains "WordPress") or (len(http.user_agent) < 45) or (cf.edge.server_port in {2082 2083 2086 2087 2095 2096}))<code
</code
BLOCK
------------------------------------------------
Rule #5 Managed Challenge (The Low-Friction Filter)
When incoming requests match…
<code
(not ip.src.country in {"NZ" "AU"}) and not (cf.client.bot or ip.src in $admin_whitelist or ip.src.asnum in {approved ASN numbers})
</code
Managed Challenge
------------------------------------------------
The output from Gemini will include the usual excess of text, but each of the 5 rules should now be revised with your server IP, $admin_whitelist and the ASN Numbers for your Internet Service Provider/s.
- For each rule, copy the updated expression into the correct rule in your Cloudflare account.
- Deploy each rule as you update it.
- Ensure all Rules are in the correct order!!!
Within minutes, you will probably see the “events” counter growing on the two usual attack areas of your site.
You can click the chart areas and open the list of events…
You can click on any Event and view exactly what was happening…
Coming Soon: Using Gemini AI to Reverse-Engineer Botnet Attack Patterns
