Introduction
Yesterday, one of our developers shared a quick post on Reddit’s r/WordPress community titled “3 Free and Simple Cloudflare Rules to Protect WordPress.” – Link
To our surprise, it took off immediately – thousands of WordPress users loved it for its simplicity and effectiveness. The post quickly started trending, showing that WordPress security is a hot topic among website owners.
That overwhelming response inspired us to turn that Reddit post into a comprehensive blog guide with expanded explanations, configuration examples, and expert tips you can apply right away to secure your WordPress site with Cloudflare’s free plan.
Reddit Post Performance: How the Community Reacted
Our original Reddit post gained impressive traction within just 48 hours — showing how relevant and valuable Cloudflare-based WordPress protection really is.
Here are the highlights:
-
33,000+ views in the first 48 hours
-
468 shares across Reddit and other platforms
-
104 upvotes with a 93.3% upvote ratio
-
33 insightful comments from WordPress users and developers
-
Top countries by reach:
-
🇺🇸 United States: 29.7%
-
🇬🇧 United Kingdom: 8.6%
-
🇨🇦 Canada: 6.9%
-
As one Reddit user commented:
“We host 99 % of our clients and use Cloudflare for everyone. We just started only allowing US unless they really need exposure outside the US. The amount of bandwidth and traffic we’ve eliminated on our servers from spam is palpable. Wish we did this sooner.”
This engagement confirmed that there’s a clear need for practical, easy-to-follow security solutions for WordPress especially ones that don’t rely on heavy plugins or paid tools.
So here it is the full version of that viral Reddit post, with extra detail, real-world context, and expert guidance from our team.
In this post we’ll walk you through each rule, explain why it matters, show how to implement it, and highlight potential side-effects and workarounds. At the end, if you’d rather let an expert handle the setup, we’ll show how CodeRise Technologies can help.
Cloudflare Rules to Protect WordPress
Rule 1: Limit Access to /wp-login.php and /wp-admin/ to Known IPs or Trusted Countries
Your login page is the primary target for bots and brute-force attempts. By blocking or challenging everyone except trusted IPs or countries, you immediately reduce load on your server and stop volume attacks in their tracks. We will need to exclude wp-admin/admin-ajax.php from this rule as it’s required for frontend and other api calls.
How to implement
In Cloudflare, navigate to Account Home -> Select Domain -> Security -> Security rules section and click ‘Create rule’
Then, create a rule matching to allow access for specific countries or IP addresses e.g.
By Country:
(
http.request.uri.path contains "/wp-login.php" or
(http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php")
)
and not (ip.geoip.country in {"US" "UK"})
By IP address:
(
http.request.uri.path contains "/wp-login.php" or
(http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php")
)
and not (ip.src in {203.0.113.45 198.51.100.10})
Note: Please make sure to update the country or IP to match your requirements
Pro Tip
If your team is remote and uses dynamic IPs, consider allowing by country or use Cloudflare Access (Zero Trust) rather than strict IP whitelisting.
Rule 2: Block or Challenge xmlrpc.php Requests
The file xmlrpc.php is a legacy endpoint in WordPress that attackers still exploit for brute-force and DDoS, especially if you don’t use it. Rather than relying on a plugin, you can stop the request at Cloudflare’s edge.
How to implement
Create a firewall rule where:
(http.request.uri contains "/xmlrpc.php")
OR (http.request.uri.path eq "/wp-includes/" AND NOT http.referer contains "yourdomain.com")
Action: set to Managed Challenge (free plan) or Block if you are certain you don’t need the endpoint.
Pro Tip
If you are using mobile WordPress apps or Jetpack, keep a backup plan: audit whether xmlrpc.php is needed, or use alternative REST endpoints, before blocking completely.
Rule 3: Geo-Block or Challenge Traffic from Untrusted Countries
If your website serves a specific region (for example, North America), most of the malicious traffic may come from other geographies. By challenging or blocking countries you don’t expect traffic from, you reduce spam, bot load and resource waste.
How to implement
Firewall rule:
ip.src.country is not in {"US","CA","UK"}
Action: Managed Challenge or Block depending on risk tolerance.
Caveats
-
If you have legitimate international visitors, be sure not to lock them out inadvertently.
-
Always whitelist bots (like Google-bot) and ensure you’re not harming SEO.
-
Monitor Cloudflare logs for false-positives.
Bonus: Enable Cloudflare CDN, Caching & HTTPS Rewrite
Once your firewall rules are in place, turn on key performance/security features in Cloudflare:
-
Always Use HTTPS = redirect all HTTP traffic to HTTPS
-
Automatic HTTPS Rewrites = ensures mixed-content issues are addressed
-
Enable Caching for static assets (CSS, JS, images), and page cache where possible
-
Consider enabling Bot Fight Mode for added bot protection (but test your site for any JS-heavy features)
Why This Approach Works (and Outperforms Plugins)
-
Edge protection: The rules run at Cloudflare’s edge, so malicious traffic is dealt with before it hits your server, reducing load, cost and risk.
-
Minimal plugin overhead: No heavy security plugin required; fewer plugins means smaller attack surface and faster site.
-
Layered strategy: Firewall rules + CDN + caching + optional plugin = a defence-in-depth model that Google likes because it signals quality and reliability.
-
Performance boost: Caching and CDN speed up your site globally, improving user experience and SEO metrics like Core Web Vitals.ents
Want Us to Handle It For You?
If you’d rather let the experts take care of everything, here’s what CodeRise Technologies offers:
🎯 Our $99 USD Service Package (Cloudflare rules for WordPress) Includes:
-
Full Cloudflare Free-Plan configuration (DNS, proxy, caching)
-
Implementation of the three firewall rules above — tailored to your site’s traffic and geography
-
A 30-day monitoring & support period to review blocked traffic and false positives
Call-to-Action:
Contact us today and let us secure your WordPress site so you can focus on building your business not fighting bots.
Conclusion
You now have a robust, low-cost approach to securing and accelerating your WordPress site using Cloudflare. It’s popular, trusted by professionals, and completely compatible with the free tier. With the rules above implemented, you’ll reduce bot/spam traffic, improve server performance and build a stronger foundation for SEO and uptime.