All 4 rules are pre-configured with sensible defaults. Adjust the options below for your specific setup, then generate your rules.
Cloudflare Enterprise not supported. These rules will not work with Cloudflare Enterprise. Some providers that use Enterprise include Rocket.net (required) and Cloudways (optional). You need direct access to cloudflare.com to add these rules. Will work with Kinsta and WP Engine - though WP Engine may require you to move to their legacy network first.
1
Allow Good Bots
Skip / Allow
Grants unrestricted access to the bot categories you approve. Cloudflare does an excellent job classifying legitimate bots - this rule simply tells it which categories to let through without challenge. Let's Encrypt is always included so SSL renewals never get blocked.
Cloudflare Verified Bot Categories
tips_and_updates
My recommendation: Enable everything except the AI and SEO categories. For the AI categories - only turn those on if you want AI tools crawling and indexing your content. For Search Engine Optimization (Ahrefs, SEMrush, Moz, etc.), these tools can be extremely aggressive on your server resources. I don't allow them by default - only enable this if you actively subscribe to and use those services on your own site.
Accessibility?
Accessibility
Screen readers and assistive technology crawlers
Examples: Accessible Web Bot
View on Cloudflare Radar ↗Academic Research?
Academic Research
University libraries and academic archival crawlers
Examples: Library of Congress, TurnItInBot
View on Cloudflare Radar ↗Advertising & Marketing?
Advertising & Marketing
Ad verification, quality scoring, and bidding bots
Examples: Google AdsBot
View on Cloudflare Radar ↗Aggregator?
Aggregator
Content syndication and job listing aggregator bots
Examples: Pinterest, Indeed Jobsbot
View on Cloudflare Radar ↗AI Assistant?
AI Assistant
Bots that fetch content on behalf of AI chat assistants
Examples: Perplexity-User, DuckAssistBot
View on Cloudflare Radar ↗AI Crawler?
AI Crawler
Bots that crawl your site to train or index LLM and generative AI models
Examples: GPTBot (OpenAI), ClaudeBot (Anthropic)
View on Cloudflare Radar ↗AI Search?
AI Search
Next-gen AI-driven search engines that index your content
Examples: OAI-SearchBot
View on Cloudflare Radar ↗Archiver?
Archiver
Web preservation bots that create public historical snapshots
Examples: Internet Archive (Wayback Machine), CommonCrawl
View on Cloudflare Radar ↗Feed Fetcher?
Feed Fetcher
Bots that poll RSS, Atom, and podcast feeds for fresh content
Examples: Feedly, podcast feed readers
View on Cloudflare Radar ↗Monitoring & Analytics?
Monitoring & Analytics
Uptime checkers, page speed testers, and performance monitoring services
Examples: Pingdom, UptimeRobot, GTmetrix
View on Cloudflare Radar ↗Page Preview?
Page Preview
Bots that fetch page metadata to generate link previews in messaging and social apps
Examples: Slackbot, Twitterbot, Facebook, Discord
View on Cloudflare Radar ↗Search Engine Crawler?
Search Engine Crawler
Verified search engine indexing bots - use the sub-section below to control which ones are allowed
Examples: Googlebot, Bingbot, DuckDuckBot, Yandexbot
View on Cloudflare Radar ↗Search Engine Optimization?
Search Engine Optimization
Third-party SEO auditing, backlink analysis, and rank tracking crawlers
Examples: Ahrefs, Semrush, Moz, Google Lighthouse
View on Cloudflare Radar ↗Security?
Security
Bots that perform SSL certificate validation and authorized security scanning
Examples: Let's Encrypt, SSL Labs
View on Cloudflare Radar ↗Social Media Marketing?
Social Media Marketing
Social listening and brand mention monitoring services
Examples: Brandwatch
View on Cloudflare Radar ↗Webhooks?
Webhooks
Automated services that send event-driven notifications to your site
Examples: Stripe, Shopify, GitHub, WordPress integrations
View on Cloudflare Radar ↗
●
AI Assistant, AI Crawler, AI Search: Only enable these if you want AI tools crawling and indexing your content. Leave them off to block AI scrapers.
●
Search Engine Optimization: Only enable if you actively subscribe to and use these tools on your own site. They can be extremely aggressive on server resources.
manage_search
Individual Crawler Control
Even though all Search Engine Crawlers are Cloudflare-verified, you may not want all of them. US-focused sites typically don't need Baiduspider (China) or YandexBot (Russia) getting through. Uncheck any crawlers you want to exclude and they will be added as exclusion conditions to the expression.
Why? Some of these bots can become very aggressive and hammer your server with requests, wasting resources and slowing down your site for real visitors.
Why? Some of these bots can become very aggressive and hammer your server with requests, wasting resources and slowing down your site for real visitors.
Always included: Let's Encrypt ACME challenge
Web Server IP Optional
Since later rules block many hosting providers, add your web server's IP here to prevent blocking your own server's CRON jobs and outbound connections. Your server typically has both an IPv4 and IPv6 address - add both if possible, separated by a comma. If provided, they will be included as an Allow condition using IP Source is in in the Rule 1 expression.
Third-Party Services Optional
Many popular services like Stripe, PayPal, and Mailchimp are already covered by the Webhooks category above. Check the services below only if you have confirmed those services are being blocked and are not in Cloudflare's verified bot list.
2
Aggressive Crawlers
Managed Challenge
Targets overly persistent bots that hammer your server. This rule effectively stops most fake bots, but note that it will also catch aggressive SEO crawler tools. If you use a service like SEMrush or Ahrefs for your own site, uncheck it below so you don't block your own scans.
Important: For this rule to actually catch Ahrefs, SEMrush, and similar tools, two things must be true: (1) make sure "Search Engine Optimization" is NOT checked in Rule 1 above, and (2) uncheck "All remaining custom rules" in your Allow Good Bots rule inside Cloudflare. Without both of those, the Allow rule will override this one. Be cautious when adjusting the Allow rule settings as removing too many exceptions can inadvertently block legitimate services.
Crawlers to Block
Uncheck tools you pay for
3
Challenge Large Providers / Country
Managed Challenge
Hackers and spammers frequently spin up VPS servers on Google Cloud, Amazon EC2, and Azure to launch rapid attacks or waste resources scanning your site. These servers can stay active for days. This rule issues a managed challenge to that traffic. Optionally, you can also challenge visitors from outside your primary country, which cuts off a large percentage of automated threats before they ever touch your site.
Country Restriction
Enable Country Restriction
Challenge visitors from outside your target country. Recommended for local or regional businesses.
Third-party services: Legitimate services do run on AWS, Azure, and Google Cloud. If you use a third-party tool that needs to connect to your site from one of these providers, you may need to whitelist their IP in the Allow Good Bots rule. That said, Cloudflare's Verified Bots list already covers many of these services, so you may not need to do anything extra.
VPS Providers to Challenge
Amazon AWS / EC2ASN 7224, 16509, 14618
Microsoft AzureASN 8075
Google CloudASN 396982
4
Block VPN / Web Host / Paths / TOR
Managed Challenge
This rule combines VPN providers, a compiled list of web hosting ASNs I have built up over years of identifying attack sources, TOR exit nodes, and requests to vulnerable WordPress paths. While legitimate users do use VPNs and TOR, the volume of malicious traffic from those sources far outweighs the benefit of allowing them freely. For eCommerce sites in particular, blocking these sources has significantly reduced fraud. By merging these into one rule, it also frees up a rule slot so you can use Cloudflare's native AI Scraping Protection.
WordPress Paths
WordPress Site
Blocks xmlrpc.php, wp-config.php, wlwmanifest, and wp-login.php - the most common WordPress attack targets.
Additional Blocking
Block AI Crawlers
Blocks "AI Crawler" and "Other" from Cloudflare's verified bot list. Disable if you are using Cloudflare's native AI Scraping Protection or want AI tools to index your site.
Block TOR Exit Nodes
Blocks all TOR network traffic (country code T1). Recommended unless you specifically need to serve TOR users.
The combined ASN list covers both major VPN providers and web hosting services compiled from years of identifying attack sources. On rare occasions a user might be on a custom VPN through a provider like DigitalOcean or phoenixNAP and hit this rule. It's uncommon, but it does happen.
VPNs: Legitimate users do use VPNs, but so do hackers and spammers. In my experience, the negative impact from malicious VPN traffic far outweighs the benefit of allowing it freely, so I issue a managed challenge rather than blocking outright.
TOR: I do not allow TOR or TOR exit nodes. Legitimate users may use TOR, but so do bad actors. I prefer to block them entirely. If you block TOR here, I also recommend turning off Onion Routing in Cloudflare under Network settings.
WordPress login tip: I also recommend setting up Cloudflare Access as an extra layer of protection for your WordPress login page. It is free for up to 50 users per Cloudflare account.
eCommerce: For online stores, blocking VPNs and TOR has made a significant difference. One of my largest clients runs an eCommerce site and their fraud incidents decreased substantially after we implemented these rules.
Your Custom WAF Rules
Copy each expression into a new Cloudflare WAF Custom Rule with the corresponding action.
Skip / Allow
Rule 1 — Allow Good Bots
Managed Challenge
Rule 2 — Aggressive Crawlers
Managed Challenge
Rule 3 — Challenge Large Providers / Country
Managed Challenge
Rule 4 — Block VPN / Web Host / Paths / TOR