Free Cloudflare WAF Initial Review

After messing with using .htaccess files to lock down my blog I decided to try Cloudflare’s free offering for a simple WAF to protect my blog as well as get some more detail as far as who is talking to it.

I’m still working on configuring Cloudflare and I may have more to say after I get more time to get used to the interface and make some more tweaks.

One of the most important things I wanted to do was be able to lockdown /wp-login.php, /wp-admin, and /xmlrpc.php like I was doing with .htaccess.

I was able to get the same lock down functionality done relatively quickly, using the WAF security rules.

Over on the left-hand side if you navigate to Security -> WAF

I used their template for Zone lockdown, and blocked access to those things from everyone except my IP, which can obviously be edited later if it ever changes or I’m out traveling and want to update my blog.

Of course another lesson learned is you can’t use your domain anymore to SSH to your server. Cloudflare will not allow it. So I created a SSH sub-domain on my domainname in Cloudflare and set it to DNS only.

You might say this defeats the whole purpose of cloudflare because now somebody knows your IP address, and to a certain extent that is true. However, I have apache configured so if someone tries to browse by IP address they get a 403 from .htaccess in a different web directory.