Hey team, I'd like to inquire about implementing a referral-based access control mechanism within Cloudflare. Specifically, I'm looking to restrict incoming traffic from a particular domain, domain.com, to our website.
Is it feasible to configure Cloudflare to deny access to users navigating to our site from this specific referring URL, thereby mitigating potential security risks or unwanted traffic?

Implementing a referral-based access control mechanism in Cloudflare is feasible and can be an effective way to mitigate potential security risks or unwanted traffic. By leveraging Cloudflare's Firewall Rules, you can create a custom rule to block incoming traffic from a specific referring URL, such as domain.com. This can be achieved by setting up a rule that inspects the HTTP Referer header and blocks requests that match the specified domain.

To achieve this, you would need to create a new Firewall Rule in Cloudflare, selecting "HTTP Referer" as the field to inspect, and specifying the domain.com as the value to match. You can then set the action to "Block" to deny access to users navigating to your site from this specific referring URL. By doing so, you can effectively restrict unwanted traffic and mitigate potential security risks associated with this particular domain.

It's crucial to streamline your referrer rules for effective traffic management. Instead of employing the "equals =" operator, which demands an exact match of the referrer domain, you should pivot to a more flexible approach. The strict match can be problematic; if there's even a single character deviation, your rule becomes ineffective.

I recommend scrapping all those convoluted rules and implementing a single, straightforward directive: "http.referer contains domain.com = block." This approach simplifies your configuration significantly.

In essence, this rule states that if the referrer includes the specified domain name in any capacity, it triggers a block. This method not only enhances your site's security but also optimizes the workflow by reducing the number of rules you need to manage.

When it comes to safeguarding your WordPress installation, it's essential to implement a robust security strategy that prevents malicious loop requests from exploiting the admin-ajax.php endpoint. As a webmaster or security specialist, you can leverage Cloudflare's (CF) rules engine to block unauthorized requests while allowing legitimate traffic from your admin panel, plugins, and search engine crawlers.

To achieve this, you can create a custom rule that filters incoming requests based on specific criteria. Here's an example of how you can configure the rule:

(http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.referer contains "yourdomain.com" and ip.src not your_server_IP and not cf.client.bot) = block

In this rule, we're using the following conditions:

http.request.uri.path contains "/wp-admin/admin-ajax.php": This checks if the request URL contains the admin-ajax.php endpoint.
not http.referer contains "yourdomain.com": This ensures that the request is not coming from your own domain (i.e., it's not a legitimate request from your site).
ip.src not your_server_IP: This verifies that the request is not originating from your server's IP address (i.e., it's not a request from your own infrastructure).
not cf.client.bot: This excludes good bots that are whitelisted by Cloudflare's client bot detection.
By combining these conditions, you can effectively block malicious requests that don't meet these criteria while allowing legitimate traffic to pass through.

If you want to take a more aggressive approach and block all requests to the admin-ajax.php endpoint, you can use a simplified version of the rule:

(http.request.uri.path contains "/wp-admin/admin-ajax.php") = block

However, keep in mind that this may break some functionality in your WordPress installation, so it's essential to test and verify the impact of this rule before implementing it in production.

As a best practice, it's recommended to regularly review and update your security rules to ensure they remain effective against emerging threats. By leveraging Cloudflare's rules engine and staying vigilant, you can help protect your WordPress site from malicious activity and ensure a secure online presence.