A little while ago I wrote a post titled ‘How to block Contact Form 7 spam with Cloudflare‘. This explained how I use Cloudflare’s WAF rules to prevent any spam form submissions coming through with the popular Contact Form 7 plugin for WordPress. Even if you don’t use Contact Form 7, I’d highly encourage you to read that article for a better understanding of what I’ll cover today. To avoid repetition I won’t go into as much detail about Cloudflare WAF rules with WordPress. However, without further ado, let’s jump in!
What are Cloudflare’s WAF rules?
Cloudflare’s Web Access Firewall (WAF) rules are simply rules that you can apply to incoming traffic, typically used to identify and challenge potential spam or other malicious visitors. Using Cloudflare WAF rules with WordPress allows you to boast incredibly effective security, without bloating your site with third-party scripts or intrusive CAPTCHAs.
The way we’ll be utilising WAF rules today is by identifying a specific endpoint through which all comments are submitted and then setting an explicit rule for all traffic going to that endpoint. This rule will ensure that all submissions are verified with Cloudflare’s managed challenge.
WAF rules for securing WordPress comments
I’m assuming that you have a WordPress website with comments enabled on your posts and that you have your traffic proxied through Cloudflare’s DNS, with access to the Cloudflare dashboard.
Inside your Cloudflare dashboard, select the domain for which you’re setting these rules up, and navigate to the WAF category.
On the WAF page, select ‘Create Rule’ to begin setting up the rule for blocking comment spam. From here, you’ll need to do the following:
- Give the rule an appropriate name for what it does
- Set the following criteria for matching a request:
- Field:
URI
- Operator:
contains
- Value:
comments-post.php
- Field:
- Set the action as
Managed Challenge
With all of the fields set how I’ve listed above, and the rules deployed, you should have something that looks similar to this (This is my actual rule which is in effect right here on this website!):
The Managed Challenge
option is my suggested action due to a balance of security and user experience. While it does add a brief pause for the user to wait for the submission, most of the time it requires no further inputs and, throughout the thousands of attempted spam comment submissions my site has had since its implementation, 0 have gotten through.
Testing the WAF rule for WordPress comments
After you’ve deployed this new rule, I’d recommend waiting a few minutes, as these rules don’t always take effect straight away. Once you’re ready though, you can now test it. Testing is as simple as attempting to leave a comment on the blog in which you’ve set this up. Upon submitting the form, you should see the page redirect to a brief holding screen with Cloudflare. Once you’ve been verified, you’ll then ping straight back to the page you came from, and everything will work as normal.
If you’ve waited a while and you’re not seeing the Cloudflare WAF rules in action, there are a few reasons that this could be:
- Ensure Cloudflare is set up correctly and is proxying your traffic.
- Ensure the rule has the correct settings, as per the guidance above.
- If you’ve implemented larger customisations or URL rewrites, your URI might be slightly different. If you’re not sure what this means, it’s likely not the cause.
Closing thoughts
I recommend this approach to a lot of people because of the speed and security it offers. While CAPTCHAs can be effective, I’ve never had an issue using Cloudflare’s WAF on its own. If you’re interested in implementing CAPTCHAs instead, you can even try Cloudflare’s CAPTCHA service if, like me, you use Cloudflare for your DNS.
I hope this has been of some help in making your WordPress website more secure and less bloated. If you haven’t already, I’d still recommend checking out my article on using Cloudflare WAF with Contact Form 7. Otherwise, thank you for reading.
Leave a Reply