安全-WAF规则 设置(免费版)
进入 Cloudflare 后台
选择站点 → Security → WAF → Firewall Rules → 创建规则
每条规则:
添加表达式(编辑表达式)
设置动作为 Block 或 JS Challenge
命名规则名称 → 保存并启用
以下几个实用规则:
一、【阻止常见后门脚本路径(可以根据网站扫描日志,再下面多加)】
规则名:Block Common Backdoor PHP
老写法:
(http.request.uri.path contains "/shell.php" or
http.request.uri.path contains "/wp-error_log.php" or
http.request.uri.path contains "/bak.php" or
http.request.uri.path contains "/mail.php" or
http.request.uri.path contains "/themes.php" or
http.request.uri.path contains "/xmrlpc.php" or
http.request.uri.path contains "/xqwfanri.php" or
http.request.uri.path contains "/db.php" or
http.request.uri.path contains "/apikey.php" or
http.request.uri.path contains "/up.php")
动作:Block
解析:收集阻止那些后门扫描页….
(注意上面的.php文件其实有太多,得自己去网站错误日志里收集)
下面是新的写法,更精准,不易误杀
(
ends_with(http.request.uri.path, "/db.php") or
ends_with(http.request.uri.path, "/apikey.php") or
ends_with(http.request.uri.path, "/up.php") or
ends_with(http.request.uri.path, "/api.php") or
ends_with(http.request.uri.path, "/style2.php") or
ends_with(http.request.uri.path, "/zyapi.php") or
ends_with(http.request.uri.path, "/connector.php") or
ends_with(http.request.uri.path, "/3ds.php") or
ends_with(http.request.uri.path, "/phpinfo.php") or
ends_with(http.request.uri.path, "/mail.php") or
ends_with(http.request.uri.path, "/info.php") or
ends_with(http.request.uri.path, "/server_info.php") or
ends_with(http.request.uri.path, "/server-info.php") or
ends_with(http.request.uri.path, "/test.php") or
ends_with(http.request.uri.path, "/xqwfanri.php") or
ends_with(http.request.uri.path, "/xmrlpc.php") or
ends_with(http.request.uri.path, "/themes.php") or
ends_with(http.request.uri.path, "/bak.php") or
ends_with(http.request.uri.path, "/wp-error_log.php") or
ends_with(http.request.uri.path, "/shell.php") or
ends_with(http.request.uri.path, "/security.txt")
)
动作:Block
二、【挑战非正常 UA】
规则名:JS Challenge Non-Mozilla UA
(not cf.client.bot and not http.user_agent contains "Mozilla")
动作:JS Challenge
解析:这条为了“只挑战不知名 UA,放行搜索引擎爬虫”。
改进型:
更安全的变体建议,你可以为这个规则加上威胁分数限制,避免“杀得太狠”:
(not cf.client.bot and not http.user_agent contains "Mozilla" and cf.threat_score gt 10)
动作建议:JS Challenge 或 Captcha
这样就不会误拦一些正常、但 UA 异常的访问者(如某些小工具或海外弱客户端)。
三、【阻止恶意 UA 访问】
规则名:Block Malicious UA
(lower(http.user_agent) contains "curl" or
lower(http.user_agent) contains "python" or
lower(http.user_agent) contains "httpclient" or
lower(http.user_agent) contains "wget" or
(http.user_agent contains "bot" and not cf.client.bot))
动作:Block 太狠,还是用 JS Challenge
改进型:
(
lower(http.user_agent) contains "curl" or
lower(http.user_agent) contains "python" or
lower(http.user_agent) contains "httpclient" or
lower(http.user_agent) contains "wget" or
(http.user_agent contains "bot" and not cf.client.bot) or
http.user_agent eq "" or
http.user_agent eq "-" or
length(http.user_agent) lt 10
)
and cf.threat_score gt 10
and http.request.uri.path contains ".html"
推荐动作:JS Challenge 或 Captcha Challenge
规则名建议:Block Script Bots & Abnormal UA
四、【挑战异常 wp-*.php 请求,注意误杀 掉迅虎xunhupay注意)】
规则名:JS Challenge Suspicious WP-PHP
(http.request.uri.path contains "/wp-" and http.request.uri.path contains ".php")
排除误杀:如把admin-ajax文件以及目录wechat-shop的路径不包含:
(http.request.uri.path contains "/wp-" and
http.request.uri.path contains ".php" and
not http.request.uri.path contains "wechat-shop" and
not http.request.uri.path contains "admin-ajax")
动作:动作:JS Challenge(或 不要Block)
解释:攻击者经常请求 /wp-shell.php、/wp-2019.php、/wp-error_log.php 等,这条可以拦住大多数恶意路径。放行wechat-shop路径.
【改进型】
(
lower(http.request.uri.path) contains "/wp-" and
lower(http.request.uri.path) contains ".php" and
not lower(http.request.uri.path) contains "wechat-shop" and
not lower(http.request.uri.path) contains "admin-ajax"
)
and cf.threat_score gt 10
动作建议:JS Challenge 或 Block(视攻击频率)
规则名:Block Suspicious WP PHP Path Access
【增强改进型】(做更强防护,比如防工具探测,可以扩展成)
(
lower(http.request.uri.path) matches "^/wp-(admin|includes|json|content|config).*\.php" and
not lower(http.request.uri.path) contains "wechat-shop" and
not lower(http.request.uri.path) contains "admin-ajax"
)
动作建议:JS Challenge 或 Block(视攻击频率)
规则名:Block Suspicious WP PHP Path Access
五、【限制海外 POST 登录爆破】
规则名:Challenge Non-CN wp-login POST
(http.request.method eq "POST" and
http.request.uri.path contains "wp-login.php" and
ip.geoip.country ne "CN")
动作:Challenge
解析:如果自己本人在国外运营网站要注意
六、规则:拦 Python 爬虫 + 空 UA 的 .html 页面
Block Python Bots on .html(对高频访问)
———————————–
更稳妥的完整防爬建议(推荐规则)
((http.user_agent contains "python" or http.user_agent eq "-") and http.request.uri.path contains ".html")
也有效:
(http.user_agent contains "python") and (http.request.uri.path contains ".html")
不行(会页面检查)
(http.user_agent contains "python" or not cf.client.bot) and (http.request.uri.path contains ".html")
不行,太严格(会页面检查)
(http.request.uri.path contains ".html" and not cf.client.bot)
动作: 挑战(Challenge (JavaScript))
或更强:Managed Challenge(推荐)
注:cf.client.bot 是 Cloudflare 识别为“已知良性爬虫”的 UA(比如百度、Google、必应等)
这条规则的优点是:
不影响正常用户(微信、Chrome、Safari、百度/Google 等都能正常访问)
Cloudflare 自动识别是否为“已知良性爬虫”,不用你手动维护 UA 黑名单
效率高、执行在边缘节点,根本不会把垃圾请求传到你服务器
支持自适应挑战级别(Managed Challenge),不是一刀切返回 403
✅ 规则 1:拦 Python 爬虫 + 空 UA 的 .html 页面
((http.user_agent contains "python" or http.user_agent eq "-") and http.request.uri.path contains ".html") and not cf.client.bot and cf.threat_score gt 20
动作:JS Challenge
名称:Block Python Bots on .html (Score Filtered)
✅ 规则2:UA 为空的恶意请求(更安全地处理)(大多数恶意爬虫)
(http.user_agent eq "") and not cf.client.bot and cf.threat_score gt 20
动作:Block
名称:Block Empty UA (Filtered)
✅ 规则3:爆翻页防御,阻止访问异常分页(爆翻页攻击)
(http.request.uri.path matches "^/page/([2-9][1-9]|[1-9][0-9]{2,})/$") and not cf.client.bot and cf.threat_score gt 20
动作:Block
名称:Block Deep Page Crawl (Filtered)
可根据你实际分页路径 /list/page/123/ 或 /tags/page/88/ 调整表达式
✅ 规则4:拦截 curl/wget 命令行爬虫访问 .html
((http.user_agent contains "curl" or http.user_agent contains "wget") and http.request.uri.path contains ".html") and not cf.client.bot and cf.threat_score gt 20
动作:JS Challenge
名称:Block Curl/Wget Bots (Filtered)
✅ 规则5:敏感目录/API 探测拦截(如 /api、/inc、/config)
(http.request.uri.path contains "/api" or http.request.uri.path contains "/inc" or http.request.uri.path contains "/config") and not cf.client.bot and cf.threat_score gt 20
动作:Block
名称:Block Suspicious API Probes (Filtered)
解析:
not cf.client.bot 保留 Google、百度等爬虫不被误杀
cf.threat_score gt 20 拦掉 Cloudflare 判断为高风险的访问者(一般 >10 就可疑)
cf.threat_score gt 是 Cloudflare 提供的一个 内置安全评分变量,= Cloudflare Threat Score(威胁评分)
cf.threat_score:表示 Cloudflare 依据访问者的行为、IP信誉、历史行为计算出的风险评分(0~100)
gt:是“greater than(大于)”的意思(Cloudflare 表达式语言使用人类可读语法)
Cloudflare 是怎么计算 cf.threat_score 的?
✅ WordPress 内容站专用 WAF 规则集
(
http.request.uri.path contains "/wp-login.php" or
http.request.uri.path contains "/xmlrpc.php" or
http.request.uri.path contains "/wp-cron.php" or
lower(http.request.uri.path) contains "/wp-json/" or
lower(http.request.uri.path) matches "^/wp-content/uploads/.*\.php$" or
(
lower(http.request.uri.path) contains "/wp-" and
lower(http.request.uri.path) contains ".php" and
not lower(http.request.uri.path) contains "admin-ajax" and
not lower(http.request.uri.path) contains "wechat-shop"
)
)
and cf.threat_score gt 10
动作建议:JS Challenge 或 Captcha Challenge
推荐 JS Challenge 起步,体验好;若攻击频繁,可改 Captcha 或 Block
规则命名建议:WordPress Core Path Defense (Combined)
千万别拦截:AppleWebKit
