Post by RonW » Wed Nov 11, 2020 2:26 am

To all Expert,

I always found on google search Cloudflare >> Firewall Rules for WordPress site.

Looking for Opencart v3 Cloudflare >> Firewall Rules.

Below are the rules for WP, if anybody can convert to Opencart requirement will be helpful.

"WP rules quote"

1. (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")

2. (http.request.uri.path contains "/wp-login.php")

3. (http.request.uri.path contains "/xmlrpc.php")

4. (http.request.uri.path contains "/wp-content/plugins/" and not http.referer contains "" and not

5. (http.request.uri.path eq "/wp-comments-post.php" and http.request.method eq "POST" and not http.referer contains "")

Don't Forget to Allow your own IP address using the "Tools" Tab.

"WP rules Unquote"

If anybody can't, please don't skip this issue by giving any reason, just try to understand why Opencart can't have such CloudFlare >> Firewall rules.





Mon Mar 23, 2020 7:19 am

Post by IP_CAM » Thu Nov 12, 2020 3:57 am

Well, you forgot, to mention, how much whis would be worth to
you to know, Experts usually don't come for free ... :D

I am no longer active at the Forum. Please do NOT send me Personal Mails,
they will no longer be replied to.
My Github OC Site:
4'160 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.

User avatar
Legendary Member


Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by head_dunce » Sat Nov 21, 2020 8:22 pm

I haven't found the need to set up much in the firewall rules, although I have fail2ban running and making API calls to Cloudflare when it finds something it doesn't like. In talking with Cloudflare, it seems I may need to set up a rule to challenge anyone using x-forward-for because I'm seeing some weird things with the odd cases where that's used, but still gathering data on that for now.
Aside from turning on the built in firewall options, I do find blocking the nasty ASN's in the Firewall > Tools to be very effective. I would suggest blocking these ASN's -
I also have all countries outside of my targeted audiences set up to be javascript challenged via Firewall > Tools. You could set up a firewall rule to do this, but I just put them in one by one. The country code list is here - ... A0FOWD2bbZ
And I'd suggest setting the rate limit under Firewall > Tools I currently have it set at 250 requests per 10 seconds, JS Challenge which seems to be working well
Hope that helps

Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member


Thu Apr 04, 2019 11:50 pm

Post by head_dunce » Sun Nov 29, 2020 9:26 pm

So I changed this up a bit, figured I'd update this post to help anyone else.
The problem was that the images for my marketing emails were getting blocked for people who were outside of my targeted countries. The images were getting a JS challenge, but because they were being loaded in emails, that browser based challenge was not happening and the images were just blocked. Also because the countries were set in the Firewall > Tools the priority seemed to be over Firewall > Rules, so I had to make some changes to the setup.
First, I removed all the country challenges from Firewall > Tools.
Next set up a Firewall > Rule of ( ne "US" and ne "CA") to JS Challenge with priority 2000
And also set up a Firewall > Rule of (http.request.uri.path contains "/newsletter/") to Allow with a priority 1000
This now allows all the email images which are in the folder /newsletter/ to load for everyone (nothing else is in the folder.) And if you visit the web site outside of the US or Canada you get a JS Challenge screen that does a quick browser check.

Yahoo Store since 2006 moved to OpenCart on January 24, 2020

Active Member


Thu Apr 04, 2019 11:50 pm
Who is online

Users browsing this forum: trangtrang and 3 guests