How To Protect Joomla! with CloudFlare Firewall Rules

Note: Rules on this page are updated from time to time. Last update: March 25,2024.

OVERVIEW

CloudFlare recently added Firewall Rules to all accounts, including free accounts. The rules shown below can help protect Joomla against common attacks for both known and undisclosed vulnerabilities.

CLOUDFLARE FIREWALL RULES TO PROTECT JOOMLA!

For more detailed information on how CloudFlare Firewall Rules work, and how to set them up, please read the main article, How To Protect WordPress with CloudFlare Firewall Rules.

Here are some recommended CloudFlare Firewall Rules to start with as protection for your Joomla! web site.  Copy and paste these into three separate firewall rules, and set the Actions as shown.

• Unwanted Bots and User Agents:
  Action: Block
  Rule:

  (cf.threat_score gt 14) or 
  (len(http.user_agent) == 0) or (len(http.user_agent) > 500) or 
  ((http.user_agent contains "\\;") and (http.user_agent contains "\\(") and (http.user_agent contains "\\)")) or 
  (http.user_agent contains "?%00") or 
  (http.user_agent contains "$[") or 
  (http.user_agent contains "${") or 
  (http.user_agent contains "()") or 
  (http.user_agent contains "{}") or 
  (http.user_agent contains "alert(") or 
  (http.user_agent contains "AhrefsBot") or 
  (http.user_agent contains "AwarioBot") or 
  (http.user_agent contains "baidu") or 
  (http.user_agent contains "/bin/bash") or 
  (http.user_agent contains "Bytespider") or 
  (http.user_agent contains "Censys") or 
  (lower(http.user_agent) contains "curl") or 
  (http.user_agent contains "coccocbot") or 
  (http.user_agent contains "Copier") or 
  (http.user_agent contains "Cyotek") or 
  (http.user_agent contains "DavClnt") or 
  (http.user_agent contains "DnyzBot") or 
  (http.user_agent contains "DotBot") or 
  (http.user_agent contains "ownload") or 
  (http.user_agent contains "drag") or 
  (http.user_agent contains "echo ") or 
  (lower(http.user_agent) contains "email") or 
  (http.user_agent contains "eval(") or 
  (http.user_agent contains "env:") or 
  (http.user_agent contains "Expanse,") or 
  (lower(http.user_agent) contains "fuzz") or 
  (http.user_agent contains "GPTBot") or 
  (http.user_agent contains "GRequest") or 
  (http.user_agent contains "uzzle") or 
  (http.user_agent contains "havij") or 
  (http.user_agent contains "eadless") or 
  (http.user_agent contains "Hello") or 
  (http.user_agent contains "http-clien") or 
  (http.user_agent contains "HTTrac") or 
  (http.user_agent contains "hydra") or 
  (http.user_agent contains "ImagesiftBot") or 
  (http.user_agent contains "jdni") or 
  (http.user_agent contains "Kinza") or 
  (http.user_agent contains "nowledge") or 
  (http.user_agent contains "ldap") or 
  (http.user_agent contains "LieBaoFast") or 
  (http.user_agent contains "Lua") or 
  (http.user_agent contains "lx71") or 
  (http.user_agent contains "masscan") or 
  (http.user_agent contains "Protocol Disc") or 
  (http.user_agent contains "MicroMess") or 
  (http.user_agent contains "tible; MSIE 3.") or (http.user_agent contains "tible; MSIE 4.") or (http.user_agent contains "tible; MSIE 5.") or (http.user_agent contains "tible; MSIE 6.") or 
  (http.user_agent contains "zilla/2.") or (http.user_agent contains "zilla/3.") or 
  (http.user_agent contains "My User Agent") or 
  (http.user_agent contains "NetSystemsRes") or 
  (http.user_agent contains "Nikto") or 
  (http.user_agent contains "Nimbostrat") or 
  (http.user_agent contains "nmap") or 
  (http.user_agent contains "mgili/") or 
  (http.user_agent contains "OPPO") or 
  (http.user_agent contains "pangolin") or 
  (http.user_agent contains "PetalBot") or 
  (http.user_agent contains "pdrlabs") or 
  (http.user_agent contains "plesk") or 
  (lower(http.user_agent) contains "python") or 
  (http.user_agent contains "QQBrowser") or 
  (http.user_agent contains "SeznamBot") or 
  (http.user_agent contains "craper") or
  (http.user_agent contains "crapr") or 
  (http.user_agent contains "script ") or 
  (http.user_agent contains "SeekportBot") or 
  (http.user_agent contains "SiteSucker") or 
  (http.user_agent contains "Sogou") or 
  (http.user_agent contains "speigel") or 
  (http.user_agent contains "SeznamBot") or 
  (http.user_agent contains "Sogou") or 
  (http.user_agent contains "spinner") or 
  (http.user_agent contains "Uptimebot") or 
  (http.user_agent contains "WebDAV-MiniRe") or 
  (http.user_agent contains "WebZip") or 
  (http.user_agent contains "WinHttp.WinHttpReq") or 
  (http.user_agent contains "wp_is_mobile") or 
  (http.user_agent contains "YaBrowser") or 
  (http.user_agent contains "Yandex") or 
  (http.user_agent contains "Yowser") or 
  (lower(http.user_agent) contains "zmeu") or 
  (http.user_agent contains "zgrab")
  

• Content Protection:
  Action: Block
  Rule:

  (not http.request.method in {"GET" "POST" "HEAD"}) or 
  (http.request.uri.path contains ".js.map") or 
  (lower(http.request.uri.path) contains "phpmyadmin") or 
  (http.request.uri.path contains "/tdw") or 
  (http.request.uri.query contains "=/tdw") or 
  (lower(http.request.uri.path) contains "thinkphp") or 
  (lower(http.request.uri.path) contains "/phpunit") or 
  (raw.http.request.uri contains "../") or (raw.http.request.uri contains "..%2F") or 
  (http.request.uri contains "passwd") or 
  (http.request.uri contains "/var/log/") or 
  (http.request.uri contains "/dfs/") or 
  (http.request.uri contains "/autodiscover/") or 
  (http.request.uri contains "/wpad.") or 
  (http.request.uri contains "wallet.dat") or 
  (http.request.uri contains "webconfig") or 
  (http.request.uri contains "vuln.") or 
  (http.request.uri contains ".sql") or 
  (http.request.uri contains ".svn") or 
  (http.request.uri contains ".bak") or 
  (http.request.uri contains ".cfg") or 
  (http.request.uri contains ".env") or 
  (http.request.uri contains ".ini") or 
  (http.request.uri contains ".log") or 
  (http.request.uri.query contains "bin.com/") or 
  (http.request.uri.query contains "bin.net/") or 
  (raw.http.request.uri.query contains "?%00") or 
  (http.request.uri.query contains "eval(") or 
  (http.request.uri.query contains "base64") or 
  (http.request.uri.query contains "var_dump") or 
  (http.request.uri.query contains "<script") or (raw.http.request.uri.query contains "%3Cscript") or 
  (http.request.uri contains "<?php") or (http.cookie contains "<?php") or 
  (http.cookie contains "<script") or (http.referer contains "%3Cscript") or 
  (http.cookie contains"() {") or (http.cookie contains "base64") or 
  (http.cookie contains "var_dump") or 
  (upper(http.request.uri.query) contains "$_GLOBALS[") or 
  (upper(http.request.uri.query) contains "$_REQUEST[") or 
  (upper(http.request.uri.query) contains "$_POST[") or 
  (http.request.method == "SSTP_DUPLEX_POST") or 
  any(lower(http.request.headers.names[*])[*] eq "accept-charset") or 
  any(lower(http.request.headers.values[*])[*] contains "php://") or 
  any(lower(http.request.headers.values[*])[*] contains "phar://") or 
  (http.request.uri.query contains "JDatabaseDriverMysql") or 
  (http.request.uri.query contains "proc/self/environ") or 
  (http.request.uri.query contains "mosConfig_") or 
  (http.request.uri.query contains "template=") or 
  (upper(http.request.uri.query) contains "UNION ALL ") or (upper(raw.http.request.uri.query) contains "UNION%20ALL%20") or 
  (upper(http.request.uri.query) contains "UNION SELECT ") or (upper(raw.http.request.uri.query) contains "UNION%20SELECT%20") or 
  (upper(http.request.uri.query) contains "INSERT INTO ") or (upper(raw.http.request.uri.query) contains "INSERT%20INTO%20") or 
  (upper(http.request.uri.query) contains "DELETE FROM ") or (upper(raw.http.request.uri.query) contains "DELETE%20FROM%20")
  

  Notes:

  1. If you use any extensions that use a REST API, you might want to remove (not http.request.method in {“GET” “POST” “HEAD”}) or from the first line.
  2. Although it is included above, searching for signs of SQL Injection attacks like UNION ALL and SELECT won’t catch much because it is easy to mix comments into those strings and still be valid SQL. For example, SE/* */LECT * F/* */ROM table; and S/* This */E/* is */L/* ignored */E/* ! */C/* 1 */T * FR/* 2 */OM table; are both seen by an SQL server as SELECT * FROM table;If you have a Pro CloudFlare account or better, you are better off enabling the Cloudflare Web Application Firewall service to block SQL Injection attacks instead of rolling your own.
• Login Protection:
  Action: Interactive Challenge / Challenge (Captcha)
  Rule:

  (http.request.uri.path contains "/administrator")
  

TROUBLESHOOTING

If you see strange behavior with your web site after enabling any firewall rules, use these steps to try to track down the problem.

• Click on any event with a Service column labeled “Firewall rule” to view details of the event.  This will show you which firewall rule triggered the event.  Hover your pointer over the Rule ID to reveal a Filter button.  Clicking the Filter button will take you directly to the editor for that Firewall Rule.  If you still can’t figure out what is triggering a firewall event, try the following steps.
• Disable all your firewall rules (toggle the switch next to each rule) and see if the problems go away. Your IP address should not be showing up in any new firewall events listed in the Events tab.
• Next, re-enable each firewall rule one at a time, testing your web site after re-enabling each one. When the problem on your web site returns, you know you have found the rule causing the problem.
• Next, use the Expression Editor to copy-and-paste the entire rule that is causing the problem to a temporary document. Then, use the Expression Builder to delete individual lines from the rule, and save the rule after each line you delete. Check your web site to see if the problem went away. If it did, you found the line causing the problem. If not, continue deleting lines, saving, and testing your web site until you find the line causing the problem.
• Once you have isolated the problem, use the Expression Editor to restore the original rule from your temporary copy. Then delete the one line that was causing the problem. Save the edited rule and verify the problem has gone away. If not, more than one line may be causing a problem, most likely a line after the one you deleted. Repeat the previous procedure until you find the new line causing the problem.
• Rather than just eliminating the line that caused the problem, see if you can make a more specific filter.  This will protect your web site without causing problems for normal web server traffic.

FURTHER READING

Check out the CloudFlare Firewall Rules documentation for more information and ideas on how to put this powerful feature to work.

MORE PROTECTION

These firewall rules will stop a lot of attacks on your web site. Just return to your CloudFlare account in a 24 hours and look at the Firewall Events log at the bottom of the Firewall page. You will see at least a dozen attacks blocked by these rules. Don’t take it personally, these attackers most likely do not know you.

However, this is not 100% protection for your Joomla! web site. Some additional things you can do to protect your site are:

• Keep Joomla!, your templates and extensions up-to-date.
• Review and follow the advice given in the Joomla! Security documentation.
• Keep abreast of new Joomla! security concerns by following the Joomla! Security Centre web site.
• Install and configure server level protection, such as mod_security, Fail2Ban, and bad bot blockers. Note: If you aren’t running your own web server, your web hosting company should be taking care of server level protection for you.
• Read more details on what fields and expressions are possible with CloudFlare’s firewall rules.
• Cloudflare offers a paid Web Application Firewall service which is a like having the firewall rules outlined in this article, plus many more, all kept up-to-date by their engineers.