Hardening a WordPress website using Cloudflare

As we all know, the loading speed of a website is one of the key factors for a higher search engine ranking today. Since no one likes slow-loading websites, Google tries to fix this by pushing them down on the search results page. For this reason, we have to keep our server or VPS as fast as possible. One of the worst annoyances on the web are crawler, spider and spam bots that scan your website and try to find something interesting for them. Every unnecessary request to your website takes up resources and CPU time of your server or VPS. Every unnecessary request to your website takes up resources and CPU time of your server or VPS, which inevitably leads to a slowdown of the server.

WordPress CMS-based websites typically suffer from three types of requests:

1) Someone is sending you a pingback / trackback request, and it doesn’t matter if you have disabled pinging from other blogs, you will still receive those requests.

2) Another type of garbage traffic comes from bots and scanners trying to gain access to your admin panel located at “wp-login.php”. These bots usually use easy-to-guess usernames such as “admin” or “user” or “1234”. In most cases, these brute force bots do not succeed and will never guess your password, but you will still get these requests.

3) A spam bot tries to find a form where it can leave a comment with a spam link to a trashy website, also known as comment spam.

In this article, we will use Cloudflare’s free website protection to block all useless requests to our website. This saves server resources such as CPU time, which makes our website faster.

For those who are not familiar with Cloudflare: Simply put, Cloudflare is a wall between your website and the Internet. It filters bad bots, scanners, sniffers, and other types of non-human traffic. Apart from that, Cloudflare optimizes your website with important features like compression, minimization, SSL, cache and some other useful functions to increase the speed. And best of all: Cloudflare doesn’t cost you a penny. Yes, they also offer paid services for corporate websites and for customers who need more features. However, as long as you run a medium-sized website with less than 1 million monthly visitors, you are good to go with the free plan offered by Cloudflare. To understand what else Cloudflare is doing, please read their introductory page: https://www.cloudflare.com/learning/what-is-cloudflare/

After you’ve set up Cloudflare protection on your website, you can begin with Hardening a WordPress website using Cloudflare.

First of all, we have to block all requests to two files that are frequently accessed by thousands of bots every month.

These are: “xmlrpc.php” and “wp-trackback.php”.

One of the “surefire solutions” to stop pingbacks is to delete “wp-trackback.php” and “xmlrpc.php” files. The problem, however, is that we continue to receive requests from spam bots, even if these files do not exist and will be served as a “404” error. The 404 error page also requires server resources to be delivered.For this reason, blocking these files with Cloudflare is still a better solution than just deleting them.

So lets block them:

1) Prevent bots from pinging your WordPress-based website

Login your Cloudflare control panel and go to “Firewall” -> Firewall Rules -> Create a Firewall rule.

Now we have to create a firewall rule, we call it “blocking pingbacks”.

Now we define the conditions of what is blocked and when.

When incoming requests match…

Field: URI Path

Operator: Contains

Value: xmlrpc.php


Field: URI Path

Operator: Contains

Value: wp-trackback.php


Choose an action: Block

After that, no one has access to the two files xmlrpc.php and wp-trackback.php. This way, these files no longer have to be delivered from our server, and we save CPU time, which essentially affects the loading speed of the website.

2) Prevent Bruteforcer from accessing your WordPress administration panel.

Let’s go to another trouble spot and this WordPress admin panel, which is scanned around the clock by brute forcers.

For the admin panel, we can use the solution from the first step and completely disable access for everyone. But we can also use a more elegant solution: block everyone except me. To achieve this, we need to know our IP address or IP range if you use dynamic IP at home. To find out your IP or IP range, you need to visit one of the many websites that display your IP address, I prefer this one https://bgp.he.net/

Now you need to write down your IP range that looks like, or your IP that looks like

Go to Cloudflare control panel and create a new rule.

Login your Cloudflare control panel and go to “Firewall” -> Firewall Rules -> Create a Firewall rule.

When incoming requests match…

Field: URI Path

Operator: Contains

Value: wp-login.php


IP Adress is not in (in case you are using your IP range)

If you want to restrict access to only one IP address, replace the IP range with a single IP address.

IP adress does not equal (in case you are using your IP address)


Choose an action: Block

After that, only you can access the WordPress Administration panel and no one else.

Note: If you log into your WordPress admin panel from different IP addresses, you can restrict access to the administrator panel by country in which you are located. This will block visitors from all other countries except yours.

3) Prevent comment spammers from spamming your website

For this purpose, it is advisable to deactivate the native WordPress comment system and switch to a comment system offered by third parties such as the Facebook comment system or the Disqus comment system.

This step brings two useful benefits: The first is that your visitors are more likely to comment on your posts because they don’t have to register on your blog to leave a comment. Instead, they can use their social network account such as Facebook, Twitter or Google. The second useful feature is that these comment systems are much better protected from spam bots and you can moderate all of your comments in one place – your Disqus control panel. Similar to Akismet spam protection, Disqus has its own database with bad IPs and comment spammers, so that comments from all IPs known for posting comment spam are marked as spam. Facebook comments as well as Disqus comments are indexed by search engines, so you don’t have to worry about your SEO

Let’s summarize what we have

What do we have in the end?
1) Pingback spammers no longer reach your site, so your server will be kept out of trouble.

2) Your WordPress administration panel can only be accessed via the IP address that belongs to your home network.

3) Comment spammers are less likely to leave spam comments on your blog because the native WordPress comment system is disabled or completely removed from your website.

After blocking bot traffic, you can see in your Cloudflare control panel how many bots tried to access your admin panel and have been blocked.

Leave a Reply

Your email address will not be published.