Set WordPress rules to Block

Follow the steps below to create a rule that executes a managed ruleset and defines an override for rules with a specific tag.

1. Add a rule to a phase entry point ruleset that executes a managed ruleset.
2. Configure a tag override that sets a specified action for all rules with a given tag.

Zone-level example

This example uses the Update a zone entry point ruleset operation to perform the following two steps in a single PUT request:

• Set the list of rules in the http_request_firewall_managed phase entry point ruleset to a single rule that executes the Cloudflare Managed Ruleset.
• Override rules with the wordpress tag to set the action to block. All other rules use the default action provided by the ruleset issuer.

Required API token permissions

At least one of the following token permissions is required:

• Response Compression Write
• Config Settings Write
• Dynamic URL Redirects Write
• Cache Settings Write
• Custom Errors Write
• Origin Write
• Managed headers Write
• Zone Transform Rules Write
• Mass URL Redirects Write
• Magic Firewall Write
• L4 DDoS Managed Ruleset Write
• HTTP DDoS Managed Ruleset Write
• Sanitize Write
• Transform Rules Write
• Select Configuration Write
• Bot Management Write
• Zone WAF Write
• Account WAF Write
• Account Rulesets Write
• Logs Write
• Logs Write

Update a zone entry point ruleset

curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \
  --request PUT \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "rules": [
        {
            "action": "execute",
            "expression": "true",
            "action_parameters": {
                "id": "<MANAGED_RULESET_ID>",
                "overrides": {
                    "categories": [
                        {
                            "category": "wordpress",
                            "action": "block"
                        }
                    ]
                }
            }
        }
    ]
  }'

Account-level example

This example uses the Update an account entry point ruleset operation to perform the following two steps in a single PUT request:

• Set the list of rules in the http_request_firewall_managed phase entry point ruleset to a single rule that executes the Cloudflare Managed Ruleset for the zone example.com.
• Override rules with the wordpress tag to set the action to block. All other rules use the default action provided by the ruleset issuer.

Note

At the account level, the rule expression of an execute rule must end with and cf.zone.plan eq "ENT" so that it only applies to zones on an Enterprise plan.

Required API token permissions

At least one of the following token permissions is required:

• Mass URL Redirects Write
• Magic Firewall Write
• L4 DDoS Managed Ruleset Write
• Transform Rules Write
• Select Configuration Write
• Account WAF Write
• Account Rulesets Write
• Logs Write

Update an account entry point ruleset

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/rulesets/phases/http_request_firewall_managed/entrypoint" \
  --request PUT \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "rules": [
        {
            "action": "execute",
            "expression": "cf.zone.name eq \"example.com\" and cf.zone.plan eq \"ENT\"",
            "action_parameters": {
                "id": "<MANAGED_RULESET_ID>",
                "overrides": {
                    "categories": [
                        {
                            "category": "wordpress",
                            "action": "block"
                        }
                    ]
                }
            }
        }
    ]
  }'