Cloudflare Firewall – SWS Holocron

Block lists

Copy of the latest rule lists made for blocking, to add them:

Naming Scheme: RULE-VERSION-DATE

Creating a new firewall rule

Go to security -> WAF
Click to create new firewall rule
Add the specific name of the rule list into the Rule name (required) box
Click edit expression under the ” When incoming requests match… ” section
Copy and paste the latest expression from here

Updating an existing firewall rule

Go to security -> WAF
Click the spanner for which rule you would like to update
Scroll down and click edit expression
Delete the existing expression
Copy and paste the latest expression from here

sws-agent - This is our user agent blocking list

This ruleset is for trying to block user-agents only, rule name in Cloudflare:

sws-agent

Changelog

V11

added – to block

V10

added Go-http-client to block

V7.0

Removes all the URI bits to move to the sws-uri ruleset

V6.0

Removes Apache-HttpClient user agent from the list as it was found to block Linkedin

Expression ( Rule sets )

V11 - 10/10/2024

				
					(http.user_agent contains "Presto/2.9.181 Version/12.00") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "SearchAtlas.com SEO Crawler") or (http.user_agent contains "http://mj12bot.com/") or (http.user_agent contains "python-requests") or (http.referer contains "http://site.ru") or (http.user_agent contains "http://datasift.com/bot.html") or (http.user_agent contains "Crawler4j") or (http.user_agent contains "http://spaziodati.eu/") or (http.user_agent contains "http://webmeup-crawler.com/") or (http.user_agent contains "http://www.opensiteexplorer.org") or (http.user_agent contains "http://ahrefs.com/robot/") or (http.user_agent contains "https://app.hypefactors.com") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "http://www.brandwatch.net") or (http.user_agent contains "http://www.wise-guys.nl/") or (http.user_agent contains "PetalBot") or (http.user_agent contains "SerendeputyBot") or (http.user_agent contains "Bytespider; spider-feedback@bytedance.com") or (http.user_agent contains "https://developer.amazon.com/support/amazonbot") or (http.referer contains "news.grets.store") or (http.referer contains "static.seders.website") or (http.referer contains "rida.tokyo") or (http.referer contains "info.seders.website") or (http.referer contains "trast.mantero.online") or (http.referer contains "kar.razas.site") or (http.referer contains "game.fertuk.site") or (http.referer contains "ofer.bartikus.site") or (http.referer contains "garold.dertus.site") or (http.referer contains "phmg.lightning.force.com") or (http.user_agent contains "Go-http-client") or (http.user_agent eq "-")

V10 - 01/10/2024

				
					(http.user_agent contains "Presto/2.9.181 Version/12.00") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "SearchAtlas.com SEO Crawler") or (http.user_agent contains "http://mj12bot.com/") or (http.user_agent contains "python-requests") or (http.referer contains "http://site.ru") or (http.user_agent contains "http://datasift.com/bot.html") or (http.user_agent contains "Crawler4j") or (http.user_agent contains "http://spaziodati.eu/") or (http.user_agent contains "http://webmeup-crawler.com/") or (http.user_agent contains "http://www.opensiteexplorer.org") or (http.user_agent contains "http://ahrefs.com/robot/") or (http.user_agent contains "https://app.hypefactors.com") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "http://www.brandwatch.net") or (http.user_agent contains "http://www.wise-guys.nl/") or (http.user_agent contains "PetalBot") or (http.user_agent contains "SerendeputyBot") or (http.user_agent contains "Bytespider; spider-feedback@bytedance.com") or (http.user_agent contains "https://developer.amazon.com/support/amazonbot") or (http.referer contains "news.grets.store") or (http.referer contains "static.seders.website") or (http.referer contains "rida.tokyo") or (http.referer contains "info.seders.website") or (http.referer contains "trast.mantero.online") or (http.referer contains "kar.razas.site") or (http.referer contains "game.fertuk.site") or (http.referer contains "ofer.bartikus.site") or (http.referer contains "garold.dertus.site") or (http.referer contains "phmg.lightning.force.com") or (http.user_agent contains "Go-http-client")

V9.0 - 27/02/2024

				
					(http.user_agent contains "Presto/2.9.181 Version/12.00") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "SearchAtlas.com SEO Crawler") or (http.user_agent contains "http://mj12bot.com/") or (http.user_agent contains "python-requests") or (http.referer contains "http://site.ru") or (http.user_agent contains "http://datasift.com/bot.html") or (http.user_agent contains "Crawler4j") or (http.user_agent contains "http://spaziodati.eu/") or (http.user_agent contains "http://webmeup-crawler.com/") or (http.user_agent contains "http://www.opensiteexplorer.org") or (http.user_agent contains "http://ahrefs.com/robot/") or (http.user_agent contains "https://app.hypefactors.com") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "http://www.brandwatch.net") or (http.user_agent contains "http://www.wise-guys.nl/") or (http.user_agent contains "PetalBot") or (http.user_agent contains "SerendeputyBot") or (http.user_agent contains "Bytespider; spider-feedback@bytedance.com") or (http.user_agent contains "https://developer.amazon.com/support/amazonbot") or (http.referer contains "news.grets.store") or (http.referer contains "static.seders.website") or (http.referer contains "rida.tokyo") or (http.referer contains "info.seders.website") or (http.referer contains "trast.mantero.online") or (http.referer contains "kar.razas.site") or (http.referer contains "game.fertuk.site") or (http.referer contains "ofer.bartikus.site") or (http.referer contains "garold.dertus.site") or (http.referer contains "phmg.lightning.force.com")

V8.0 - 14/11/2022

				
					(http.user_agent contains "Presto/2.9.181 Version/12.00") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "SearchAtlas.com SEO Crawler") or (http.user_agent contains "http://mj12bot.com/") or (http.user_agent contains "python-requests") or (http.referer contains "http://site.ru") or (http.user_agent contains "http://datasift.com/bot.html") or (http.user_agent contains "Crawler4j") or (http.user_agent contains "http://spaziodati.eu/") or (http.user_agent contains "http://webmeup-crawler.com/") or (http.user_agent contains "http://www.opensiteexplorer.org") or (http.user_agent contains "http://ahrefs.com/robot/") or (http.user_agent contains "https://app.hypefactors.com") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "http://www.brandwatch.net") or (http.user_agent contains "http://www.wise-guys.nl/") or (http.user_agent contains "PetalBot") or (http.user_agent contains "SerendeputyBot") or (http.user_agent contains "Bytespider; spider-feedback@bytedance.com") or (http.user_agent contains "https://developer.amazon.com/support/amazonbot")

V7.0 - 27/07/2022

				
					(http.user_agent contains "Presto/2.9.181 Version/12.00") or (http.user_agent contains "ZoominfoBot") or (http.user_agent contains "SearchAtlas.com SEO Crawler") or (http.user_agent contains "http://mj12bot.com/") or (http.user_agent contains "python-requests") or (http.referer contains "http://site.ru") or (http.user_agent contains "http://datasift.com/bot.html") or (http.user_agent contains "Crawler4j") or (http.user_agent contains "http://spaziodati.eu/") or (http.user_agent contains "http://webmeup-crawler.com/") or (http.user_agent contains "http://www.opensiteexplorer.org") or (http.user_agent contains "http://ahrefs.com/robot/") or (http.user_agent contains "https://app.hypefactors.com") or (http.user_agent contains "SemrushBot") or (http.user_agent contains "http://www.brandwatch.net") or (http.user_agent contains "http://www.wise-guys.nl/")

Old - formats wrong

V7.0 - 27/07/2022

(http.user_agent contains “Presto/2.9.181 Version/12.00”) or (http.user_agent contains “ZoominfoBot”) or (http.user_agent contains “SearchAtlas.com SEO Crawler”) or (http.user_agent contains “http://mj12bot.com/”) or (http.user_agent contains “python-requests”) or (http.referer contains “http://site.ru”) or (http.user_agent contains “http://datasift.com/bot.html”) or (http.user_agent contains “Crawler4j”) or (http.user_agent contains “http://spaziodati.eu/”) or (http.user_agent contains “http://webmeup-crawler.com/”) or (http.user_agent contains “http://www.opensiteexplorer.org”) or (http.user_agent contains “http://ahrefs.com/robot/”) or (http.user_agent contains “https://app.hypefactors.com”) or (http.user_agent contains “SemrushBot”) or (http.user_agent contains “http://www.brandwatch.net”) or (http.user_agent contains “http://www.wise-guys.nl/”) 1111111111111 (http.user_agent contains “Presto/2.9.181 Version/12.00”) or (http.user_agent contains “ZoominfoBot”) or (http.user_agent contains “SearchAtlas.com SEO Crawler”) or (http.user_agent contains “http://mj12bot.com/”) or (http.user_agent contains “python-requests”) or (http.referer contains “http://site.ru”) or (http.user_agent contains “http://datasift.com/bot.html”) or (http.user_agent contains “Crawler4j”) or (http.user_agent contains “http://spaziodati.eu/”) or (http.user_agent contains “http://webmeup-crawler.com/”) or (http.user_agent contains “http://www.opensiteexplorer.org”) or (http.user_agent contains “http://ahrefs.com/robot/”) or (http.user_agent contains “https://app.hypefactors.com”) or (http.user_agent contains “SemrushBot”) or (http.user_agent contains “http://www.brandwatch.net”) or (http.user_agent contains “http://www.wise-guys.nl/”)

V6.0 - 30/06/2022

V5.0 - 10/09/2020

V4.0 - 23/03/2020

(http.user_agent contains “Presto/2.9.181 Version/12.00”) or (http.user_agent contains “ZoominfoBot”) or (http.user_agent contains “Site24x7”) or (http.user_agent contains “SearchAtlas.com SEO Crawler”) or (http.user_agent contains “http://mj12bot.com/”) or (http.user_agent contains “python-requests”) or (http.referer contains “http://site.ru”) or (http.user_agent contains “http://datasift.com/bot.html”) or (http.user_agent contains “Crawler4j”) or (http.user_agent contains “http://spaziodati.eu/”) or (http.request.uri contains “autodiscover.xml”) or (http.user_agent contains “http://webmeup-crawler.com/”) or (http.user_agent contains “http://www.opensiteexplorer.org”) or (http.user_agent contains “http://ahrefs.com/robot/”) or (http.user_agent contains “https://app.hypefactors.com”) or (http.user_agent contains “SemrushBot”) or (http.request.uri contains “?author=”) or (http.user_agent contains “Apache-HttpClient”) or (http.request.uri contains “phpmyadmin”) or (http.request.uri contains “wp-config.php”) or (http.request.uri contains “phpunit”) or (http.user_agent contains “http://www.brandwatch.net”) or (http.user_agent contains “http://www.wise-guys.nl/”)

V2.0 - 18/03/2020

(http.user_agent contains “Presto/2.9.181 Version/12.00”) or (http.user_agent contains “ZoominfoBot”) or (http.user_agent contains “Site24x7”) or (http.user_agent contains “SearchAtlas.com SEO Crawler”) or (http.user_agent contains “http://mj12bot.com/”) or (http.user_agent contains “python-requests”) or (http.referer contains “http://site.ru”) or (http.user_agent contains “http://datasift.com/bot.html”) or (http.user_agent contains “Crawler4j”) or (http.user_agent contains “http://spaziodati.eu/”) or (http.request.uri.path contains “AutoDiscover/autodiscover.xml”) or (http.user_agent contains “http://webmeup-crawler.com/”) or (http.user_agent contains “http://www.opensiteexplorer.org”) or (http.user_agent contains “http://ahrefs.com/robot/”) or (http.user_agent contains “https://app.hypefactors.com”) or (http.user_agent contains “SemrushBot”) or (http.request.uri.path contains “?author=”) or (http.user_agent contains “Apache-HttpClient”) or (http.request.uri.path contains “phpmyadmin”) or (http.request.uri.path contains “wp-config.php”)

V1.0 - 14/03/2020

sws-uri-free - This is our URI blocked list for Cloudflare FREE plans

This ruleset is for trying to block specific URIs or URI patterns, rule name in Cloudflare:

sws-uri-free

Changelog

V2.0 - 09/08/2022

Added adminer
added readme.txt
added 404.php

V1.0

initial free build

Expression ( Rule set )

V2 - 09/08/2022

				
					(http.request.uri eq "/404testpage4525d2fdc") or (http.request.uri eq "/wp-content/plugins/wpconfig.bak.php") or (http.request.uri eq "/wp-content/themes/sketch/404.php") or (http.request.uri eq "/404javascript.js") or (http.request.uri eq "/wp_wrong_datlib.php") or (http.request.uri eq "/wikindex.php") or (http.request.uri eq "/1index.php") or (http.request.uri eq "/3index.php") or (http.request.uri eq "/wp-includes/images/css.php") or (http.request.uri eq "/wp-includes/css/css.php") or (http.request.uri eq "/defau1t.php") or (http.request.uri eq "/beence.php") or (http.request.uri contains "export.php") or (http.request.uri eq "/defau11.php") or (http.request.uri eq "/moduless.php") or (http.request.uri contains "xmlrpc.php") or (http.request.uri contains "/wp-content/themes/twenty") or (http.request.uri contains "autodiscover.xml") or (http.request.uri contains "?author=") or (http.request.uri contains "phpmyadmin") or (http.request.uri contains "wp-config.php") or (http.request.uri contains "phpunit") or (http.request.uri contains "leaf.php") or (http.request.uri contains "leafmailer.php") or (http.request.uri contains "fw.php") or (http.request.uri contains "shell.php") or (http.request.uri contains "alfa.php") or (http.request.uri contains "wso.php") or (http.request.uri contains "doc.php") or (http.request.uri contains "adminer") or (http.request.uri contains "404.php") or (http.request.uri contains "readme.txt")

Old - Wrong format

V2.0 - 09/08/2022

(http.request.uri eq “/404testpage4525d2fdc”) or (http.request.uri eq “/wp-content/plugins/wpconfig.bak.php”) or (http.request.uri eq “/wp-content/themes/sketch/404.php”) or (http.request.uri eq “/404javascript.js”) or (http.request.uri eq “/wp_wrong_datlib.php”) or (http.request.uri eq “/wikindex.php”) or (http.request.uri eq “/1index.php”) or (http.request.uri eq “/3index.php”) or (http.request.uri eq “/wp-includes/images/css.php”) or (http.request.uri eq “/wp-includes/css/css.php”) or (http.request.uri eq “/defau1t.php”) or (http.request.uri eq “/beence.php”) or (http.request.uri contains “export.php”) or (http.request.uri eq “/defau11.php”) or (http.request.uri eq “/moduless.php”) or (http.request.uri contains “xmlrpc.php”) or (http.request.uri contains “/wp-content/themes/twenty”) or (http.request.uri contains “autodiscover.xml”) or (http.request.uri contains “?author=”) or (http.request.uri contains “phpmyadmin”) or (http.request.uri contains “wp-config.php”) or (http.request.uri contains “phpunit”) or (http.request.uri contains “leaf.php”) or (http.request.uri contains “leafmailer.php”) or (http.request.uri contains “fw.php”) or (http.request.uri contains “shell.php”) or (http.request.uri contains “alfa.php”) or (http.request.uri contains “wso.php”) or (http.request.uri contains “doc.php”) or (http.request.uri contains “adminer”) or (http.request.uri contains “404.php”) or (http.request.uri contains “readme.txt”)

V1.0 - 02/08/2022

Known possible issues

Export.php

If a website is having any issues with exporting its likely down to the export.php file being blocked

sws-uri-pro - This is our URI blocked list

This ruleset is for trying to block specific URIs or URI patterns, rule name in Cloudflare:

sws-uri-pro

Changelog

V5.0

Added readme.txt regex rule
Added adminer rule
Added /404.php

V4.0

Added wso.php regex rule
Added doc.php regex rule

V3.0

Merged the two export.php rules together for optimisation
Added fw.php regex rule
Added alfa.php regex rule

V2.0

Added URI entries from sws-agent list into this one.

V1.0

Initial list created

Expression ( Rule set )

V5.0 - 09/08/2022

				
					(http.request.uri eq "/404testpage4525d2fdc") or (http.request.uri eq "/wp-content/plugins/wpconfig.bak.php") or (http.request.uri contains "404.php") or (http.request.uri eq "/404javascript.js") or (http.request.uri eq "/wp_wrong_datlib.php") or (http.request.uri eq "/wikindex.php") or (http.request.uri eq "/1index.php") or (http.request.uri eq "/3index.php") or (http.request.uri matches "^(.*)(LEAF|leaf)(.*)(.php)$") or (http.request.uri eq "/wp-includes/images/css.php") or (http.request.uri eq "/wp-includes/css/css.php") or (http.request.uri eq "/defau1t.php") or (http.request.uri matches "^(.*)(shell|Shell)(.*)(.php)$") or (http.request.uri eq "/beence.php") or (http.request.uri contains "export.php") or (http.request.uri eq "/defau11.php") or (http.request.uri eq "/moduless.php") or (http.request.uri contains "xmlrpc.php") or (http.request.uri contains "/wp-content/themes/twenty") or (http.request.uri contains "autodiscover.xml") or (http.request.uri contains "?author=") or (http.request.uri contains "phpmyadmin") or (http.request.uri contains "wp-config.php") or (http.request.uri contains "phpunit") or (http.request.uri matches "^(.*)(FW|fw)(.*)(.php)$") or (http.request.uri matches "^(.*)(ALFA|alfa)(.*)(.php)$") or (http.request.uri matches "^(.*)(WSO|wso)(.*)(.php)$") or (http.request.uri matches "^(.*)(DOC|doc)(.*)(.php)$") or (http.request.uri matches "^(.*)(README|readme)(.*)(.txt)$") or (http.request.uri contains "adminer")

V5.0 - 09/08/2022

(http.request.uri eq “/404testpage4525d2fdc”) or (http.request.uri eq “/wp-content/plugins/wpconfig.bak.php”) or (http.request.uri contains “404.php”) or (http.request.uri eq “/404javascript.js”) or (http.request.uri eq “/wp_wrong_datlib.php”) or (http.request.uri eq “/wikindex.php”) or (http.request.uri eq “/1index.php”) or (http.request.uri eq “/3index.php”) or (http.request.uri matches “^(.*)(LEAF|leaf)(.*)(.php)$”) or (http.request.uri eq “/wp-includes/images/css.php”) or (http.request.uri eq “/wp-includes/css/css.php”) or (http.request.uri eq “/defau1t.php”) or (http.request.uri matches “^(.*)(shell|Shell)(.*)(.php)$”) or (http.request.uri eq “/beence.php”) or (http.request.uri contains “export.php”) or (http.request.uri eq “/defau11.php”) or (http.request.uri eq “/moduless.php”) or (http.request.uri contains “xmlrpc.php”) or (http.request.uri contains “/wp-content/themes/twenty”) or (http.request.uri contains “autodiscover.xml”) or (http.request.uri contains “?author=”) or (http.request.uri contains “phpmyadmin”) or (http.request.uri contains “wp-config.php”) or (http.request.uri contains “phpunit”) or (http.request.uri matches “^(.*)(FW|fw)(.*)(.php)$”) or (http.request.uri matches “^(.*)(ALFA|alfa)(.*)(.php)$”) or (http.request.uri matches “^(.*)(WSO|wso)(.*)(.php)$”) or (http.request.uri matches “^(.*)(DOC|doc)(.*)(.php)$”) or (http.request.uri matches “^(.*)(README|readme)(.*)(.txt)$”) or (http.request.uri contains “adminer”)

V4.0 - 29/07/2022

(http.request.uri eq “/404testpage4525d2fdc”) or (http.request.uri eq “/wp-content/plugins/wpconfig.bak.php”) or (http.request.uri eq “/wp-content/themes/sketch/404.php”) or (http.request.uri eq “/404javascript.js”) or (http.request.uri eq “/wp_wrong_datlib.php”) or (http.request.uri eq “/wikindex.php”) or (http.request.uri eq “/1index.php”) or (http.request.uri eq “/3index.php”) or (http.request.uri matches “^(.*)(LEAF|leaf)(.*)(.php)$”) or (http.request.uri eq “/wp-includes/images/css.php”) or (http.request.uri eq “/wp-includes/css/css.php”) or (http.request.uri eq “/defau1t.php”) or (http.request.uri matches “^(.*)(shell|Shell)(.*)(.php)$”) or (http.request.uri eq “/beence.php”) or (http.request.uri contains “export.php”) or (http.request.uri eq “/defau11.php”) or (http.request.uri eq “/moduless.php”) or (http.request.uri contains “xmlrpc.php”) or (http.request.uri contains “/wp-content/themes/twenty”) or (http.request.uri contains “autodiscover.xml”) or (http.request.uri contains “?author=”) or (http.request.uri contains “phpmyadmin”) or (http.request.uri contains “wp-config.php”) or (http.request.uri contains “phpunit”) or (http.request.uri matches “^(.*)(FW|fw)(.*)(.php)$”) or (http.request.uri matches “^(.*)(ALFA|alfa)(.*)(.php)$”) or (http.request.uri matches “^(.*)(WSO|wso)(.*)(.php)$”) or (http.request.uri matches “^(.*)(DOC|doc)(.*)(.php)$”)

V3.0 - 28/07/2022

(http.request.uri eq “/404testpage4525d2fdc”) or (http.request.uri eq “/wp-content/plugins/wpconfig.bak.php”) or (http.request.uri eq “/wp-content/themes/sketch/404.php”) or (http.request.uri eq “/404javascript.js”) or (http.request.uri eq “/wp_wrong_datlib.php”) or (http.request.uri eq “/wikindex.php”) or (http.request.uri eq “/1index.php”) or (http.request.uri eq “/3index.php”) or (http.request.uri matches “^(.*)(LEAF|leaf)(.*)(.php)$”) or (http.request.uri eq “/wp-includes/images/css.php”) or (http.request.uri eq “/wp-includes/css/css.php”) or (http.request.uri eq “/defau1t.php”) or (http.request.uri matches “^(.*)(shell|Shell)(.*)(.php)$”) or (http.request.uri eq “/beence.php”) or (http.request.uri contains “export.php”) or (http.request.uri eq “/defau11.php”) or (http.request.uri eq “/moduless.php”) or (http.request.uri contains “xmlrpc.php”) or (http.request.uri contains “/wp-content/themes/twenty”) or (http.request.uri contains “autodiscover.xml”) or (http.request.uri contains “?author=”) or (http.request.uri contains “phpmyadmin”) or (http.request.uri contains “wp-config.php”) or (http.request.uri contains “phpunit”) or (http.request.uri matches “^(.*)(FW|fw)(.*)(.php)$”) or (http.request.uri matches “^(.*)(ALFA|alfa)(.*)(.php)$”)

V2.0 - 27/07/2022

(http.request.uri eq “/404testpage4525d2fdc”) or (http.request.uri eq “/wp-content/plugins/wpconfig.bak.php”) or (http.request.uri eq “/wp-content/themes/sketch/404.php”) or (http.request.uri eq “/404javascript.js”) or (http.request.uri eq “/wp_wrong_datlib.php”) or (http.request.uri eq “/wikindex.php”) or (http.request.uri eq “/1index.php”) or (http.request.uri eq “/3index.php”) or (http.request.uri matches “^(.*)(LEAF|leaf)(.*)(.php)$”) or (http.request.uri eq “/wp-includes/images/css.php”) or (http.request.uri eq “/wp-includes/css/css.php”) or (http.request.uri eq “/defau1t.php”) or (http.request.uri matches “^(.*)(shell|Shell)(.*)(.php)$”) or (http.request.uri eq “/beence.php”) or (http.request.uri eq “/export.php”) or (http.request.uri eq “/wp-content/export.php”) or (http.request.uri eq “/alfa.php”) or (http.request.uri eq “/defau11.php”) or (http.request.uri eq “/moduless.php”) or (http.request.uri contains “xmlrpc.php”) or (http.request.uri contains “/wp-content/themes/twenty”) or (http.request.uri contains “autodiscover.xml”) or (http.request.uri contains “?author=”) or (http.request.uri contains “phpmyadmin”) or (http.request.uri contains “wp-config.php”) or (http.request.uri contains “phpunit”)

V1.0 - 27/07/2022

REGEX notes - NO ESCAPING NEEDED IN CLOUDFLARE 🙂

Leaf regex rule: ^(.*)(LEAF|leaf)(.*)(.php)$

Examples of blocked URIs:

wp-admin/includes/leafmailer.php.php
wp-admin/css/leaf.php
wp-admin/css/colors/coffee/leafmailer2.8.php
wp-content/plugins/wp-freeform/black2llleaf.php
leaf_php.php
wp-includes/leafmailer2.8.php
wp-admin/maint/leafmailer.php.php

fw.php regex rule: ^(.*)(FW|fw)(.*)(.php)$

Example of blocked URLs

fw.php
wp-includes/fw.php
wp-admin/css/colors/coffee/fw.php
.well-known/fw.php
wp-admin/maint/fw.php

alfa.php regex rule: ^(.*)(ALFA|alfa)(.*)(.php)$

Example of blocked URLs

my_alfa.php
alfa3.php
alfav4.1-tesla.php
alfa1.php
wp-admin/css/colors/coffee/alfawso.php
wp-includes/alfa.php

wso.php regex rule: ^(.*)(WSO|wso)(.*)(.php)$

Example of blocked URLs

wso.php
wp-content/wso.php
FoxWSOv2.php
wp-admin/css/colors/coffee/wso.php
wso1337.php

doc.php regex rule: ^(.*)(DOC|doc)(.*)(.php)$

Example of blocked URLs

doc.php
wp-content/themes/bigmart/doc.php
wp-content/themes/walmart/doc.php
doc.php/404.php

readme.txt regex rule: ^(.*)(README|readme)(.*)(.txt)$

Example of blocked URLs

wp-content/plugins/ninja-forms/readme.txt
wp-content/plugins/wp-file-manager/readme.txt
wp-content/plugins/iwp-client/readme.txt
wp-content/plugins/kivicare-clinic-management-system/README.txt
wp-content/plugins/the-plus-addons-for-elementor-page-builder/readme.txt
wp-content/plugins/advanced-import/readme.txt
wp-content/plugins/ulisting/readme.txt

Known possible issues

Export.php

If a website is having any issues with exporting its likely down to the export.php file being blocked

sws-country - This is default countries blocked

This ruleset is for blocking countries that are known to launch DDOS attacks and don’t need access to our websites.

sws-country

Expression ( Rule set )

V2.0 - 19/10/2022

				
					(ip.geoip.country in {"BR" "CN" "EG" "HU" "IN" "ID" "MY" "RO" "RU" "TW" "TR" "NP"})

V2.0 - 19/10/2022

				
					(ip.geoip.country in {"BR" "CN" "IN" "ID" "MY" "RO" "RU" "TW" "TR" "HU"})

V1.0 - 23/08/2022

				
					(ip.geoip.country in {"BR" "CN" "IN" "MY" "RU" "ID"})

V1.0 - 23/08/2022

(ip.geoip.country in {“BR” “CN” “IN” “MY” “RU” “ID”})

Changelog

V3.0

Added:

Egypt
Nepal

V2.0

Added:

Hungry
Romania
Taiwan
Turkey

V1.0

Initial list created:

China
Brazil
India
Malaysia
Indonesia
Russia

How to block countries

How to know what countries to block with Cloudflare

Use the Wordfence dashboard widget on the website being attacked for reference.

Steps to block countries with Cloudflare

Login to Cloudflare
Go to firewall -> Firewall rules
Create a firewall rule and name it “Countries blocked from accessing website”
Under “When incoming requests match…” select:
Under field, select country
Under operator, select equals
Under value, add the country name to block
If you want to add more countries, select or at the end and repeat step 4
Next as a precaution, make sure not to block known bots from any country. To do this select and on the last country blocking rule and set::
Under field, select known bots
Under operator, select equals
Under value, set to off
Finally under “then”, select block to block these requests