Post by RonW » Wed Nov 11, 2020 2:26 am

To all Expert,

I always found on google search Cloudflare >> Firewall Rules for WordPress site.

Looking for Opencart v3 Cloudflare >> Firewall Rules.

Below are the rules for WP, if anybody can convert to Opencart requirement will be helpful.

"WP rules quote"

1. (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")

2. (http.request.uri.path contains "/wp-login.php")

3. (http.request.uri.path contains "/xmlrpc.php")

4. (http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "" and not

5. (http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "")

Don't Forget to Allow your own IP address using the "Tools" Tab.

"WP rules Unquote"

If anybody can't, please don't skip this issue by giving any reason, just try to understand why Opencart can't have such CloudFlare >> Firewall rules.





Mon Mar 23, 2020 7:19 am

Post by IP_CAM » Thu Nov 12, 2020 3:57 am

Well, you forgot, to mention, how much whis would be worth to
you to know, Experts usually don't come for free ... :D

Please don't send me OC Forum Personal Messages, just contact:
OC LIGHT Test Site:
OC V-PRO Test Site:
My Github OC Site:
2'600+ FREE OC Extensions on the World's largest Github OC Repository Archive Site.

User avatar
Legendary Member


Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by head_dunce » Sat Nov 21, 2020 8:22 pm

I haven't found the need to set up much in the firewall rules, although I have fail2ban running and making API calls to Cloudflare when it finds something it doesn't like. In talking with Cloudflare, it seems I may need to set up a rule to challenge anyone using x-forward-for because I'm seeing some weird things with the odd cases where that's used, but still gathering data on that for now.
Aside from turning on the built in firewall options, I do find blocking the nasty ASN's in the Firewall > Tools to be very effective. I would suggest blocking these ASN's -
I also have all countries outside of my targeted audiences set up to be javascript challenged via Firewall > Tools. You could set up a firewall rule to do this, but I just put them in one by one. The country code list is here - ... A0FOWD2bbZ
And I'd suggest setting the rate limit under Firewall > Tools I currently have it set at 250 requests per 10 seconds, JS Challenge which seems to be working well
Hope that helps

Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member


Thu Apr 04, 2019 11:50 pm
Who is online

Users browsing this forum: No registered users and 3 guests