Cloudflare Web Application Firewall and Security

We heavily integrate with and utilise Cloudflare for website speed and security. 

In this article we'll detail the rules we put in place to protect your website, and why. 

Contents: 

• What is a web application firewall (WAF)
• How do we let the good traffic in?
• What are the benefits of using a WAF?
• What are the defaults?
• Can these rules be customised?
• Having problems?

What is a web application firewall (WAF)?

Imagine your website is like a popular club. It has a front door where visitors come in. Now, think of a WAF on Cloudflare as a super-smart, always-on bouncer standing at that door.

What the bouncer does: This bouncer checks everyone who tries to enter. It has a list of known troublemakers (like hackers trying to do bad things) and knows how they usually try to sneak in. If someone looks suspicious or tries to use a known trick, the bouncer stops them from even getting close to the club.

Why it's important for your website: Just like you don't want trouble in your club, you don't want hackers messing with your website, stealing information, or breaking things. The WAF on Cloudflare acts as that first line of defense, blocking these threats before they can cause any harm. It's like having 24/7 security for your digital space!

How do we let the good traffic in?

Think back to our popular club. Our super-smart bouncer has a few ways to recognize the regulars and let them in smoothly:

The Guest List (Whitelisting by Country or other factors): Imagine we have a special guest list for people from certain countries – say, Spain or France, because most of our loyal club members come from there. Our bouncer knows this list and will generally wave people through if their "ID" (their internet address, which can often indicate their country) matches. This is like whitelisting by country – we're telling the WAF, "Hey, traffic coming from these countries is usually okay." 

The "Know Their Face" Recognition (No Challenges): For our regular members, the bouncer knows their faces and lets them in without much fuss. This is what we aim for with legitimate users – a smooth, unchallenged entry. This would also include the bots that we know and love, such as the GoogleBot Crawler so it can index our site and then send us traffic from Google search. 

Now, here's where things can get a little tricky, even for the good guys:

The Disguise (VPNs): Sometimes, even a regular might show up wearing a disguise – maybe a funny hat and glasses. This is like using a VPN. A VPN makes your internet address look like it's coming from a different location, maybe even a country that's not on our usual "good" list. So, even though it's a regular underneath, the bouncer might get suspicious because the "ID" doesn't match what they expect. That's why someone using a VPN, even if they're from a whitelisted country, might get a challenge – the WAF is just being extra careful because the origin looks different.

The Big Group Entrance (Enterprise Networks): Imagine a whole company showing up together. They might all be great people, but they're all coming through one big entrance managed by a central system. This is similar to how some company networks or services like AWS, Azure, or Google Cloud work. All their internet traffic might get routed through a few "public" addresses. To our bouncer (the WAF), it looks like a lot of people are suddenly coming from the same few spots. Even though they might all be legitimate users, this unusual activity can raise a flag, and the WAF might ask for a little extra verification to make sure it's not a coordinated attack.

So, even though we try to make it easy for our legitimate users with things like country whitelisting, sometimes these extra layers of technology (like VPNs and large networks) can make it look a little suspicious to our vigilant bouncer. The WAF is just doing its job to keep the club safe for everyone, even if it means occasionally asking a familiar face for a little extra ID check!

What are the benefits of using a WAF?

Our awesome bouncer (the WAF on Cloudflare) isn't just about keeping the obvious bad guys out. It's also about creating a better, safer, and smoother experience inside the club (your website) for everyone who belongs there! Here's how:

Keeps Out the "Rent-a-Crowd" Trouble: You know those situations where someone can just rent a bunch of temporary accounts to cause trouble? Big cloud providers can sometimes be used like that by hackers, spinning up short-term "machines" to launch attacks. Our WAF is sharp enough to spot this kind of suspicious activity and shut it down, protecting your website from these fleeting but potentially harmful threats. Benefit: Fewer disruptions and a more stable website for your real visitors.

No Shady Figures from the Back Alleys (TOR Network): Think of the TOR network as a super shadowy back alley. While it has legitimate uses, it's also often used by folks trying to hide their tracks for less-than-good reasons. Our WAF can recognize traffic coming from these hidden corners and keep them away from your website. Benefit: Reduced exposure to potentially malicious or low-quality traffic.

Calming Down the Over-Enthusiastic (But Annoying) Bots: You know those bots that just keep banging on the door, trying to do things way too fast? They can slow everything down for everyone else. Our WAF acts like a velvet rope, gently slowing down these overzealous bots so they don't overwhelm your website. Benefit: Faster loading times and a better experience for real human visitors.

Fortifying the Front Door (Login Forms): Our bouncer is extra vigilant at the main entrance – your login forms. They're on the lookout for anyone trying to repeatedly guess passwords to sneak in (brute-force attacks). The WAF slams the door on these persistent attackers. Benefit: Enhanced security for user accounts and preventing unauthorized access.

Keeping the Junk Mail Out of the Inbox (Forms): Nobody likes spam! Our WAF helps filter out those annoying and sometimes harmful spam submissions on your website forms, keeping your valuable information clean. Benefit: Less clutter and more focus on genuine inquiries.

Discouraging Unwanted Tourists: Just like a local club might be wary of huge groups showing up from far-off places with no connection to the community, our WAF can help slow down or challenge traffic from geographies that are consistently not part of your legitimate audience. Benefit: Reduced risk of attacks and wasted resources on irrelevant traffic.

Ensuring Your Digital Signature Looks Good (Email Images): While not a direct security feature in the traditional sense, the WAF and Cloudflare's broader capabilities can help ensure that even things like images in your email signatures are served reliably and efficiently. Benefit: Consistent branding and professional appearance.

Making Payments Smooth and Secure (Apple Pay): For e-commerce sites, the WAF plays a role in ensuring secure communication for things like Apple Pay authorizations, helping to protect transactions. Benefit: Trustworthy and seamless payment processing for your customers.

What are the WAF defaults?

Country rules

By default we set up the WAF to be friendly for your top visiting countries. For example you may be an Australian business, and 90% of your traffic is from Australia. You may a UK business, and you get 40% from France, 40% from the UK, and 20% from the USA - so visitors from these countries will typically never see any sign of the Bouncer when they visit. 

Bot rules

We allow Google, Bing and other legitimate bots on to the site with no limits. 

SEO Crawlers

Crawlers from SEM Rush, Ahrefs, Majestic SEO, Baidu, Yandex and others are challenged as they tend to ignore robots.txt rules and create massive traffic load unnecessarily. 

Large providers

Traffic from large cloud providers such as Vultr, Linode, Digital Ocean, Google Cloud, Amazon Web Services, Microsoft Azure are challenged. This is because these providers are public services to get lots of compute power cheaply, and are commonly used by hackers, typically not legitimate smartphone or computer based humans. 

These providers also host websites, and websites don't normally need to talk to other websites. 

Path / VPN

We challenge users who hit certian sensitive pages in Wordpress, for example the installation page, or the login and admin access URLs. Regardless of country of origin these are sensitive enough to warrant a challenge every time. 

Users on a VPN provider will get challenged - VPNs are used to hide the user location, and the vast majority of VPN users are up to no good, trying to get around some sort of block. 

TOR traffic

We block all traffic from the TOR network. 

Can these rules be customised?

Yes we can customise the rules. For example you may be using the SEM Rush SEO crawler, or you have a legitimate external system that needs to communicate with the server that is hosted on a public cloud provider. Please let us know the details of the service, and we can add this to a whitelist. Generally this is  best done using IP Addresses, so please ask your provider for this list, ideally from a page on their site that can be consumed and automatically updated as they change.

Common examples are: 

• CDN providers
• Image optimisation 
• Remote management software 
• SEO management software

Having problems?

In order for us to investigate we'll need to know a little bit about the issue. Please provide the following when reporting an issue to our Wordpress Support Team. 

• IP address of the visitor having an issue - get this from ipwhois
• The CF Ray ID from the Cloudflare page the visitor sees when opening the page (this is at the bottom of the displayed security check)
• The date and time this occurred 
• The page the user was visiting / trying to access

With this information we can investigate the request and the resulting experience.