When using Cloudflare there are some easy things you can do to help prevent abuse on your WordPress website. Malicious users use automated programs that query search engines like Google with specific search terms. For example, most High Availability WordPress Servers use register.php to register new users. A simple search of Google for “Buy clothes register.php” brings up a huge list of WordPress websites in the Clothing niche. Once a malicious user has a list of websites to target, they can use automated programs to create accounts on these WordPress sites. In this guide, we will learn how to use Cloudflare to stop automated registrations and Spam Comments when using WordPress.
Stop WordPress Spam Comments
The process is the same for spam comments on WordPress. Automated tools will post comments, usually with hyperlinks to point back to their website. The theory behind this is those links from your site will help them gain Search Engine Rankings. That position would be somewhat true. However, the more spam comments on your website the less attractive it is to search engines. Eventually, this would harm your rankings and that would filter through to the sites in those spam comments too. So how do you stop abusive registrations on WordPress and abusive automated comment posting?
Cloudflare Firewall Rules
Since you are using Cloudflare you can block this abusive behaviour before it reaches your WordPress website. Cloudflare sites between the user and the server so it’s ideally positioned to handle this. There are other things you can use like Google Recapture. Unfortunately, if you are using a custom WordPress this option might not be available without modifications to the theme. Access Cloudflare and navigate to “Security > WAF“. Here is the Cloudflare firewall. You can add up to five rules on the free plan which is more than enough for this.
Create Cloudflare Firewall Rules
All WordPress websites use the same pages to post comments and register users. There is a limited scope that these pages could be changed if you use a custom theme but, for the most part, all WordPress websites are the same. So we need to add protection to the following pages.
- /contact.php
- /comments-post.php
We also need to protect against automated registrations so we can use a query string to apply a capture or challenge to any URL containing the word “register”. Add a new rule in Cloudflare WAF with the below rules. Copy them exactly and click “Save and Deploy”.
Monitor WordPress Website
Once your firewall rules are in place these should stop any automated signups. In Cloudflare, after some time you should start to see the number of automated signups and automated spam comments blocked. In this example, we added these firewall rules 8 hours ago. They have already blocked 49 attempts to register accounts and post spam comments.