参考Cloudflare WAF 防护策略简易指南,Cloudflare Firewall Rules for Securing WordPress Websites
核心思路是无条件放行认证的爬虫和IP;对特定的ASN或IP(见于广告评论)进行挑战或者屏蔽;针对网站架构,如wordpress,禁止对部分uri的访问;对comment执行java 质询
SKIP:
(cf.verified_bot_category in {"Search Engine Crawler" "Monitoring & Analytics" "Advertising & Marketing" "Page Preview" "Academic Research" "Security" "Accessibility" "Webhooks" "Feed Fetcher" "AI Crawler" "Aggregator"} and not http.user_agent contains "MJ12bot" and not http.user_agent contains "DataForSeoBot" and not http.user_agent contains "CensysInspect" and not http.user_agent contains "Semrush") or (ip.geoip.asnum in {15169})
还可以添加你自己的其它IP
Managed Challenge:
(cf.threat_score gt 10 and not http.referer contains "google.com") or (ip.geoip.country in {"T1" "RU"}) or (cf.threat_score gt 10 and not http.referer contains "bing.com") or (cf.threat_score gt 10 and not http.referer contains "yahoo.com") or (ip.geoip.asnum in {48282 35048 24940 216071})
当cf检测的IP地址威胁度高时要求是从常见的搜索引擎跳转来的(带有referer);来自俄罗斯的IP特别是vdsina,非常多的广告评论,加ReCAPTCHA效果不是很好;根据实际需要加IP和ASN
Block:
(not cf.client.bot and cf.threat_score gt 15 and ip.geoip.asnum in {59055 59054 59053 59052 59051 59028 45104 45103 45102 37963 34947 211914 134963 63727 63655 61348 55990 269939 265443 206798 206204 200756 149167 141180 140723 139144 139124 136907 131444 45090 137876 133478 132591 132203}) or (http.user_agent contains "Abonti") or (http.user_agent contains "admantx") or (http.user_agent contains "aipbot") or (http.user_agent contains "AllSubmitter") or (http.user_agent contains "Backlink") or (http.user_agent contains "backlink") or (http.user_agent contains "Badass") or (http.user_agent contains "Bigfoot") or (http.user_agent contains "blexbot") or (http.user_agent contains "CherryPicker") or (http.user_agent contains "cloudsystemnetwork") or (http.user_agent contains "cognitiveseo") or (http.user_agent contains "Collector") or (http.user_agent contains "CrazyWebCrawler") or (http.user_agent contains "Crescent") or (http.user_agent contains "Devil") or (http.user_agent contains "spider") or (http.user_agent contains "stat") or (http.user_agent contains "Appender") or (http.user_agent contains "Crawler") or (http.user_agent contains "DittoSpyder") or (http.user_agent contains "Konqueror") or (http.user_agent contains "Easou") or (http.user_agent contains "Yisou") or (http.user_agent contains "Etao") or (http.user_agent contains "mail" and http.user_agent contains "olf") or (http.user_agent contains "exabot.com") or (http.user_agent contains "getintent") or (http.user_agent contains "Grabber") or (http.user_agent contains "GrabNet") or (http.user_agent contains "HEADMasterSEO") or (http.user_agent contains "heritrix") or (http.user_agent contains "htmlparser") or (http.user_agent contains "hubspot") or (http.user_agent contains "Jyxobot") or (http.user_agent contains "kraken") or (http.user_agent contains "larbin") or (http.user_agent contains "ltx71") or (http.user_agent contains "leiki") or (http.user_agent contains "Magnet") or (http.user_agent contains "Mag-Net") or (http.user_agent contains "Mechanize") or (http.user_agent contains "MegaIndex") or (http.user_agent contains "Metasearch") or (http.user_agent contains "MJ12bot") or (http.user_agent contains "moz.com") or (http.user_agent contains "Navroad") or (http.user_agent contains "Netcraft") or (http.user_agent contains "niki-bot") or (http.user_agent contains "NimbleCrawler") or (http.user_agent contains "Nimbostratus") or (http.user_agent contains "Ninja") or (http.user_agent contains "Openfind") or (http.user_agent contains "Analyzer") or (http.user_agent contains "Pixray") or (http.user_agent contains "probethenet") or (http.user_agent contains "proximic") or (http.user_agent contains "psbot") or (http.user_agent contains "RankActive") or (http.user_agent contains "RankingBot") or (http.user_agent contains "RankurBot") or (http.user_agent contains "SalesIntelligent") or (http.user_agent contains "Semrush") or (http.user_agent contains "SEOkicks") or (http.user_agent contains "spbot") or (http.user_agent contains "SEOstats") or (http.user_agent contains "Snapbot") or (http.user_agent contains "Stripper") or (http.user_agent contains "Siteimprove") or (http.user_agent contains "sitesell") or (http.user_agent contains "Siphon") or (http.user_agent contains "Sucker") or (http.user_agent contains "TenFourFox") or (http.user_agent contains "TurnitinBot") or (http.user_agent contains "trendiction") or (http.user_agent contains "twingly") or (http.user_agent contains "VidibleScraper") or (http.user_agent contains "WebLeacher") or (http.user_agent contains "WebmasterWorldForum") or (http.user_agent contains "webmeup") or (http.user_agent contains "Webster") or (http.user_agent contains "Widow") or (http.user_agent contains "Xaldon") or (http.user_agent contains "Xenu") or (http.user_agent contains "xtractor") or (http.user_agent contains "Zermelo") or (http.user_agent contains "BotPoke") or (http.user_agent contains "AhrefsBot")
屏蔽ASN、seo bot等
(http.request.uri.path contains "/.git") or (http.request.uri.path contains "/cgi-bin") or (http.request.uri.path contains "/.DS_Store") or (http.request.uri.path contains "/.env") or (http.request.uri.path contains "/xmlrpc.php") or (http.user_agent contains "mj12bot.com") or (http.user_agent contains "Go-http-client")
屏蔽恶意uri访问
JS Challenge
(http.request.uri.path contains "/wp-comments-post.php" and cf.threat_score gt 5)
非常适合/wp-login.php和/wp-comments-post.php