View Categories

Block Crawlers & WP Paths

2 min read

The Block Crawlers & WP Paths feature helps protect your WordPress site from aggressive bots, exploit scanners, suspicious crawlers, and requests targeting sensitive WordPress files. It runs before blocking rules so good bots are never caught by them.

block crawlers and wp path in ultimate security waf rules

Enable Block Aggressive Crawlers & WP Paths

Turn on the main toggle to activate this protection module. Once enabled, Ultimate Security will start applying the selected crawler and path protection rules. The settings have an Enable All and Disable All button for quick bulk control, plus individual toggles for each service.

Aggressive Crawlers

This section blocks known crawlers and bots that may heavily scan your website, consume bandwidth, or collect data aggressively.

aggressive crawlers list in waf rules

Available Rules:

  • Yandex (Safe to block unless you target Russian-speaking audiences.)
  • Sogou (Safe to block unless you target Chinese-speaking audiences.)
  • SEMrush (If you use SEMrush, allow it in Allow Good Bots instead.)
  • Ahrefs (If you use Ahrefs, allow it in Allow Good Bots instead.)
  • Baidu (Safe to block unless you need Chinese search visibility.)
  • Neevabot (Safe to block because the service is no longer operational.)

Generic Bot Patterns

This section blocks suspicious requests that match common bot-related patterns.

generic bot patterns in waf rules

Available Rules:

  • Python Requests (Blocks requests using the python-requests user agent. Most legitimate services use custom agents.)
  • Generic “crawl” in User-Agent (Blocks user agents containing “crawl” except verified Cloudflare bots.)
  • Generic “bot” in User-Agent (Blocks user agents containing “bot” except verified Cloudflare bots. Monitor for false positives.)
  • Generic “spider” in User-Agent (Blocks user agents containing “spider” except verified Cloudflare bots.)

Exploit Scanners

This section blocks well-known vulnerability scanners and penetration testing tools commonly used by attackers.

exploit scanners in waf rules

Available Rules

  • Nikto (Blocks the Nikto vulnerability scanner.)
  • SQLMap (Blocks SQL injection testing tools.)
  • Masscan (Blocks Masscan network scanning requests.)
  • Nmap (Blocks requests related to the Nmap scanner.)

WordPress Path Protection

This section protects sensitive WordPress files and endpoints that attackers frequently target.

wordpress path protection in waf rules

Available Rules

  • Block XML-RPC (Blocks access to the XML-RPC endpoint. Helps prevent brute-force attacks and pingback abuse.)
  • Block wp-config (Blocks attempts to access the wp-config.php file.)
  • Block WP-JSON (REST API) (Restricts access to the WordPress REST API endpoint.)
  • Block install.php (Blocks install.php to reduce the risk of reinstallation exposure on production sites.)
  • Block WLW Manifest (Blocks wlwmanifest.xml, which mostly exposes WordPress metadata. Safe to block.)
  • Block readme.html (Blocks readme.html, which can reveal your WordPress version.)
  • Block license.txt (Blocks license.txt to reduce WordPress fingerprinting and information disclosure.)

Attack Patterns

This section blocks requests commonly associated with advanced attack techniques.

attack patterns in waf rules

Available Rules

  • Time-delay / Blind SQLi Primitives (Blocks time-based blind SQL injection payloads like pg_sleep and waitfor delay.)
  • Encoded Path Traversal / LFI (Blocks URL-encoded path traversal attempts like ../etc/passwd and similar LFI probes.)

Enable both protections for improved WAF coverage.

Deploy to Cloudflare

After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare.

deploy to cloudflare from waf settings

Deploy Rules: Pushes your saved settings to Cloudflare and activates them live
Preview Rules: Shows you the exact rule expressions that will be generated. Review before deploying
Remove Plugin Rules: Removes all WAF rules created by this plugin from Cloudflare
Zone Selector: Choose which Cloudflare domain (zone) to deploy to.

How Deployment Works From the Plugin:

  1. Save your WAF settings first using the Save Changes button at the bottom of the page
  2. Select the Cloudflare zone you want to protect
  3. Preview Rules shows the current draft output, including source tags for each generated rule
  4. Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules

The plugin only manages its own rules. It won’t delete or overwrite any rules you created manually in Cloudflare.

What are your Feelings

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top