All 4 rules are pre-configured with sensible defaults. Adjust the options below for your specific setup, then generate your rules.
Still in development — do not use in production yet. This tool is currently in alpha. Rules may be incomplete or change without notice. Do not apply these rules to a live site until this warning is removed.
Cloudflare Enterprise not supported. These rules will not work with Cloudflare Enterprise. Some providers that use Enterprise include Rocket.net (required) and Cloudways (optional). You need direct access to cloudflare.com to add these rules. Will work with Kinsta and WP Engine - though WP Engine may require you to move to their legacy network first.
folder_open
Saved Profiles
info
Profiles are saved to this computer's local storage only. They will be lost if you clear your browser cache or site data. Nothing is sent to any server.
No saved profiles yet. Configure your rules above and click Save Current to save a profile.
1
1st Rule
2
2nd Rule
3
3rd Rule
4
4th Rule
1
Allow Good Bots Skip / Allow
Approved bot categories pass without challenge
Step 1 of 7: Verified Bots
Cloudflare Verified Bot Categories
tips_and_updates
My recommendation: Enable everything except the AI and Search Engine Optimization categories to start.
AI Categories - each one does something different. Only enable the ones relevant to your goals:
AI Categories - each one does something different. Only enable the ones relevant to your goals:
- AI Assistant - allows AI tools to view your site when a user directly asks them to (e.g. "summarize this page").
- AI Crawler - allows AI companies to crawl and train on your content. Only enable if you're OK with your content being used for AI training.
- AI Search - allows bots that power AI-driven search experiences. This is different from traditional search indexing.
Accessibility?
Accessibility
Screen readers and assistive technology crawlers
Examples: Accessible Web Bot
View on Cloudflare Radar ↗Academic Research?
Academic Research
University libraries and academic archival crawlers
Examples: Library of Congress, TurnItInBot
View on Cloudflare Radar ↗Advertising & Marketing?
Advertising & Marketing
Ad verification, quality scoring, and bidding bots
Examples: Google AdsBot
View on Cloudflare Radar ↗Aggregator?
Aggregator
Content syndication and job listing aggregator bots
Examples: Pinterest, Indeed Jobsbot
View on Cloudflare Radar ↗AI Assistant?
AI Assistant
Bots that fetch content on behalf of AI chat assistants
Examples: Perplexity-User, DuckAssistBot
View on Cloudflare Radar ↗AI Crawler?
AI Crawler
Bots that crawl your site to train or index LLM and generative AI models
Examples: GPTBot (OpenAI), ClaudeBot (Anthropic)
View on Cloudflare Radar ↗AI Search?
AI Search
Next-gen AI-driven search engines that index your content
Examples: OAI-SearchBot
View on Cloudflare Radar ↗Archiver?
Archiver
Web preservation bots that create public historical snapshots
Examples: Internet Archive (Wayback Machine), CommonCrawl
View on Cloudflare Radar ↗Feed Fetcher?
Feed Fetcher
Bots that poll RSS, Atom, and podcast feeds for fresh content
Examples: Feedly, podcast feed readers
View on Cloudflare Radar ↗Monitoring & Analytics?
Monitoring & Analytics
Uptime checkers, page speed testers, and performance monitoring services
Examples: Pingdom, UptimeRobot, GTmetrix
View on Cloudflare Radar ↗Page Preview?
Page Preview
Bots that fetch page metadata to generate link previews in messaging and social apps
Examples: Slackbot, Twitterbot, Facebook, Discord
View on Cloudflare Radar ↗Search Engine Crawler?
Search Engine Crawler
Verified search engine indexing bots - use the sub-section below to control which ones are allowed
Examples: Googlebot, Bingbot, DuckDuckBot, Yandexbot
View on Cloudflare Radar ↗Search Engine Optimization?
Search Engine Optimization
Third-party SEO auditing, backlink analysis, and rank tracking crawlers
Examples: Ahrefs, Semrush, Moz, Google Lighthouse
View on Cloudflare Radar ↗Security?
Security
Bots that perform SSL certificate validation and authorized security scanning
Examples: Let's Encrypt, SSL Labs
View on Cloudflare Radar ↗Social Media Marketing?
Social Media Marketing
Social listening and brand mention monitoring services
Examples: Brandwatch
View on Cloudflare Radar ↗Webhooks?
Webhooks
Automated services that send event-driven notifications to your site
Examples: Stripe, Shopify, GitHub, WordPress integrations
View on Cloudflare Radar ↗
●
AI Assistant, AI Crawler, AI Search: Only enable these if you want AI tools crawling and indexing your content. Leave them off to block AI scrapers.
●
Search Engine Optimization: Only enable if you actively subscribe to and use these tools on your own site. They can be extremely aggressive on server resources.
Services marked ✓ Cloudflare Webhooks are already covered by Cloudflare's verified bot list. You don't need to check those unless you want extra coverage. The others are not on the list and need to be explicitly allowed.
WordPress Site Management
If you use a WordPress management platform to handle updates, backups, or uptime monitoring across multiple sites, select it here. These tools make outbound requests to your site and can get caught by downstream rules.
ManageWPAutomattic site management✓ Cloudflare Webhooks
MainWPSelf-hosted WP dashboard✓ Cloudflare Webhooks
WP RemoteRemote WP management✓ Cloudflare Webhooks
WP UmbrellaMonitoring and updatesUser Agent
InfiniteWPSelf-hosted WP managerUser Agent
PatchStackWordPress security firewallIP Based
CheckviewWooCommerce checkout testingIP Based
Solid WPFormerly iThemes SyncUser Agent
Modular DSWordPress site management✓ Cloudflare Webhooks
CMS CommanderMulti-site managementUser Agent
Backups & Migrations
Cloud-based backup and migration services connect to your site from external servers and need to be whitelisted. Note: plugin-based migration tools like Duplicator, All-in-One WP Migration, and WP Migrate DB run directly on your server and do not need whitelisting here. Heads up: not all backup services route through their own provider IPs. Some trigger requests from your hosting server or a third-party server, so you may also need to whitelist specific IPs at the server or hosting level if you're still seeing blocks after enabling these rules.
BlogVaultCloud backup and Migrate Guru✓ Cloudflare Webhooks
Jetpack / VaultPressWordPress.com cloud backups✓ Cloudflare Webhooks
UpdraftCentralRemote manager for UpdraftPlusUser Agent
WPvividCloud backup and stagingUser Agent
BackupBuddyiThemes cloud backupUser Agent
Snapshot ProWPMU DEV cloud backupUser Agent
Image & Media Optimization
Cloud image and media optimization services fetch assets from your server to compress, convert, or transform them. Their requests need to be allowed through your WAF or optimization will fail silently.
ShortPixelImage compression and WebPUser Agent
EWWW Image OptimizerExactDN CDN and compressionUser Agent
ImagifyImage compression and WebPIP Based
CloudinaryMedia asset management and deliveryUser Agent
CDN & Delivery
CDN platforms that origin-pull assets from your server need to be allowed or cached content will fail to update when your server responds to their pull requests.
Bunny CDNEdge CDN and video deliveryUser Agent
KeyCDNHigh-performance CDNUser Agent
Uptime & Performance Monitoring
Uptime monitors ping your site on a regular schedule and will hit your WAF rules if not allowed. Many are already covered by Cloudflare's Monitoring & Analytics verified bot category - those are marked below. If you have that category enabled in Step 1, those services are already handled.
UptimeRobotFree uptime monitoring✓ Monitoring & Analytics
PingdomWebsite performance monitoring✓ Monitoring & Analytics
GTmetrixPage speed and performance✓ Monitoring & Analytics
Better UptimeUptime and incident monitoringUser Agent
FreshpingFree uptime monitoringUser Agent
Site24x7Full-stack monitoringUser Agent
StatusCakeWebsite monitoringUser Agent
Oh DearUptime, SSL and mixed contentUser Agent
HetrixToolsUptime and blacklist monitoringUser Agent
WebPageTestWeb performance and speed testingUser Agent
DebugBearCore Web Vitals and performance monitoringUser Agent
360 MonitoringUptime monitoring from global locations✓ Monitoring & Analytics
Testing & Screenshots
Services that load your site to run automated tests, check checkout flows, or generate page previews. Their requests look like real browsers and may be challenged by WAF rules.
CheckViewWooCommerce checkout & form testingUser Agent
Schema Markup ValidatorGoogle's structured data testing toolUser Agent
WP Shots / mShotsWordPress.com link preview screenshotsUser Agent
Link Checkers
Broken link checkers crawl your pages to find dead links. They get blocked by Rule 2's Generic Crawlers filter — allow them here if you actively use these on your own site.
WPMU Dev BLCCloud broken link checkerUA + IP
Broken Link Checkerbrokenlinkcheck.com standalone toolUser Agent
SitelinerDuplicate content and link analysisUser Agent
Security Services
Cloud-based security platforms that scan your site from external servers or connect via a remote dashboard. These are not on Cloudflare's verified bot list and need to be explicitly allowed.
Wordfence CentralRemote Wordfence dashboardUser Agent
SucuriCloud-based malware scanningUser Agent
MalCareCloud malware scanningUser Agent
Solid Security ProiThemes security scanningUser Agent
Payment & eCommerce
Payment processors and eCommerce platforms send webhook callbacks to your site for order events, payment confirmations, and subscription updates. Select any you use.
StripePayment processing webhooks✓ Cloudflare Webhooks
PayPalPayment processing webhooks✓ Cloudflare Webhooks
SquareIn-person and online payment webhooksUser Agent
Email Marketing & CRM
Email marketing platforms and CRMs that send webhook callbacks to your site for events like unsubscribes, list changes, form submissions, and automation triggers.
MailchimpEmail marketing and automation✓ Cloudflare Webhooks
KlaviyoEmail and SMS marketing✓ Advertising & Marketing
HubSpotCRM and marketing automation✓ Cloudflare Webhooks
ActiveCampaignEmail marketing and automationUser Agent
BrevoEmail marketing (formerly Sendinblue)User Agent
OmnisendeCommerce email and SMS marketing✓ Cloudflare Webhooks
ConvertKit / KitCreator email marketing and automationUser Agent
MailgunTransactional email and event webhooksUser Agent
Automation & Integrations
Workflow automation platforms that trigger actions on your site or send notifications via webhooks.
ZapierWorkflow automation✓ Cloudflare Webhooks
Make (Integromat)Workflow automationUser Agent
TwilioSMS and voice notificationsUser Agent
Pabbly ConnectWorkflow automation and webhooksUser Agent⚠ UA unconfirmed
Shipping & Fulfillment
Shipping platforms and print-on-demand fulfillment services that send webhook callbacks to your site for order status updates, label creation, and fulfillment events.
Note: If you use Printful, Printify, or similar print-on-demand services, you may also need to disable Bot Fight Mode in Cloudflare (Security → Bots) as it can interfere with their callbacks even when the user agent is allowed here.
ShipStationMulti-carrier shipping and order managementUser Agent
ShippoMulti-carrier shipping APIUser Agent
PirateShipWooCommerce shipping labelsUser Agent
PrintfulPrint-on-demand and fulfillmentUser Agent
Reviews & Social Proof
Review platforms that send invitation or event webhooks to your site to trigger review collection workflows.
TrustpilotCustomer review invitations and webhooksUser Agent
Affiliate & Referral Programs
Affiliate platforms send conversion and commission webhook callbacks to your site when referral sales or sign-ups occur.
ShareASaleAffiliate marketing networkUser Agent
ImpactPartnership and affiliate managementUser Agent
TapfiliateReferral and affiliate trackingUser Agent
SEO Tools
Only select tools you actively pay for and use on your own site. These crawlers are blocked by default in Rule 2 - selecting one here will allow it in Rule 1, but you also need to uncheck it in Rule 2 (Aggressive Crawlers) or it will still be blocked. Tools marked SEO Category are part of Cloudflare's Search Engine Optimization verified bot group - if you enabled that category in Step 1, they are already allowed.
AhrefsBacklink and SEO analysisSEO Category
SEMrushSEO and competitive researchSEO Category
MozSEO tools and link explorerSEO Category
MajesticBacklink intelligenceSEO Category
MangoolsKWFinder and SERPCheckerUser Agent
SE RankingAll-in-one SEO platformUser Agent
Screaming FrogSite audit crawlerUser Agent
SitebulbVisual site auditingUser Agent
Always included: Let's Encrypt ACME challenge
Web Server IP Optional
Since later rules block many hosting providers, add your web server's IP here to prevent blocking your own server's CRON jobs and outbound connections. Your server typically has both an IPv4 and IPv6 address - add both if possible, separated by a comma. If provided, they will be included as an Allow condition using IP Source is in in the Rule 1 expression.
Custom User Agent Optional
If you use a service not listed in the previous steps, enter its user agent string here. Separate multiple values with a comma. Each will be added as a http.user_agent contains "..." condition in Rule 1. Self-hosted tools like n8n should use this field with the IP of their server instead — or add it to the Server IP field above.
Optional step. Most users can skip this. Use this section to exclude specific search engine or AI crawlers from your allow rule — for example, blocking AmazonBot or Baiduspider while still allowing all others. If you don't need to customize this, just click "Finish Rule 1" below.
Individual Crawler Control Optional
Uncheck any crawlers you want to exclude. They will be added as exclusion conditions to the Rule 1 expression. Note: Some of these bots can become very aggressive and hammer your server with requests, wasting resources and slowing down your site for real visitors.
tips_and_updates
Our recommendation: Leave the major search engines checked (Google, Bing, Yahoo, DuckDuckGo) and uncheck the aggressive or region-specific ones: SeznamBot, Bytespider, Baiduspider, YandexBot, Mojeek, and ZoomInfo. These tend to crawl aggressively and provide little SEO value for most English-language sites.
AI Control Optional
Manage all AI access in one place. User-initiated agents allow AI tools to fetch pages on behalf of real users. AI crawlers are bots that index your content — exclusions below only apply if AI Crawler, AI Assistant, or AI Search is enabled in Step 1.
User-Initiated AI Agents
Claude-UserAllows Claude (Anthropic) to fetch pages on behalf of real usersUser Agent
AI Training Crawlers
tips_and_updates
Our recommendation: Keep the major AI assistants checked (GPTBot, ClaudeBot, Perplexity, Google-Extended) and uncheck the aggressive training crawlers: AmazonBot, CCBot, Diffbot, and cohere-ai. These crawl heavily for AI training data with little benefit to your site.
2
Aggressive Crawlers Managed Challenge
Block overly persistent bots that hammer your server
Important: For this rule to actually catch Ahrefs, SEMrush, and similar tools, two things must be true: (1) make sure "Search Engine Optimization" is NOT checked in Rule 1 above, and (2) uncheck "All remaining custom rules" in your Allow Good Bots rule inside Cloudflare. Without both of those, the Allow rule will override this one. Be cautious when adjusting the Allow rule settings as removing too many exceptions can inadvertently block legitimate services.
Crawlers to Block
Uncheck tools you pay for
YandexRussian search engine
SogouChinese search engine
BaiduChinese search engine
SEMrushUncheck if you use it
AhrefsUncheck if you use it
Python RequestsGeneric script bots
Generic Crawlers/BotsAny UA with "bot", "crawl", "spider"
MJ12bot
ZoominfoBot
Mojeek
SiteLock
CF-UC
Neevabot
China SiteAuditASN 135061, 23724, 4808
3
Challenge Large Providers / Country Managed Challenge
Challenge VPS traffic and optional country restrictions
Country Restriction
Enable Country Restriction
Challenge visitors from outside your target country. Recommended for local or regional businesses.
Third-party services: Legitimate services do run on AWS, Azure, and Google Cloud. If you use a third-party tool that needs to connect to your site from one of these providers, you may need to whitelist their IP in the Allow Good Bots rule. That said, Cloudflare's Verified Bots list already covers many of these services, so you may not need to do anything extra.
VPS Providers to Challenge
Amazon AWS / EC2ASN 7224, 16509, 14618
Microsoft AzureASN 8075
Google CloudASN 396982
4
Block VPN / Web Host / Paths / TOR Managed Challenge
Combined blocking for VPNs, hosting, WordPress paths, and TOR
WordPress Path Protection
Block paths attackers probe to find vulnerabilities. All are recommended for WordPress sites unless noted otherwise.
Block XML-RPCBrute force and DDoS amplification target
Block WP-JSONREST API - only if no plugins require it
Block WLW ManifestWindows Live Writer file, rarely needed
Block WP SignupBlocks wp-signup.php registration endpoint
Block WP CronBlocks external access to wp-cron.php
Block WP TrackbackSpam target via wp-trackback.php
Block WP InstallBlocks wp-admin/install.php
Block wp-configBlocks config file and all backup variants
Block readme.htmlReveals WordPress version to scanners
Block license.txtReveals WordPress version to scanners
Block .envMay contain credentials and API keys
Block error_logServer error log that exposes file paths
Block phpinfoBlocks phpinfo.php and info.php
Block AdminerDatabase management tool (adminer.php)
Block Backup FilesBlocks .zip, .sql, .tar.gz, and other backup patterns
Block .git DirectoryPrevents source code and credential exposure
Block phpMyAdminBlocks /phpmyadmin and /pma/ admin paths
Block debug.logBlocks wp-content/debug.log exposure
Block User EnumerationBlocks ?author= and /wp-json/wp/v2/users
AI Crawlers: Use Cloudflare's built-in AI Scraping Protection to block AI bots. It's maintained automatically by Cloudflare and is more accurate than a custom WAF rule. Find it in your Cloudflare dashboard under Security → Bots.
Additional Blocking
Block TOR Exit Nodes
Blocks all TOR network traffic (country code T1). Recommended unless you specifically need to serve TOR users.
The combined ASN list covers both major VPN providers and web hosting services compiled from years of identifying attack sources. On rare occasions a user might be on a custom VPN through a provider like DigitalOcean or phoenixNAP and hit this rule. It's uncommon, but it does happen.
VPNs: Legitimate users do use VPNs, but so do hackers and spammers. In my experience, the negative impact from malicious VPN traffic far outweighs the benefit of allowing it freely, so I issue a managed challenge rather than blocking outright.
TOR: I do not allow TOR or TOR exit nodes. Legitimate users may use TOR, but so do bad actors. I prefer to block them entirely. If you block TOR here, I also recommend turning off Onion Routing in Cloudflare under Network settings.
WordPress login tip: I also recommend setting up Cloudflare Access as an extra layer of protection for your WordPress login page. It is free for up to 50 users per Cloudflare account.
eCommerce: For online stores, blocking VPNs and TOR has made a significant difference. One of my largest clients runs an eCommerce site and their fraud incidents decreased substantially after we implemented these rules.
Your Custom WAF Rules
Copy each expression into a new Cloudflare WAF Custom Rule with the corresponding action.
Skip / Allow
Rule 1 - Allow Good Bots
Managed Challenge
Rule 2 - Aggressive Crawlers
Managed Challenge
Rule 3 - Challenge Large Providers / Country
Managed Challenge
Rule 4 - Block VPN / Web Host / Paths / TOR