IP Blocking
Blocks specific malicious or abusive IPs instantly. This is especially helpful when you're dealing with repeated attack attempts or targeted probing from known sources. A quick block can immediately reduce harmful traffic.

Geo Blocking
Restricts requests from countries where you do not expect real users. This reduces unwanted bot traffic, lowers noise on your logs, and limits exposure to attacks coming from high-risk regions.

Login Path Protection
Adds additional verification checks for your login page. It helps you defend against credential stuffing, brute-force attempts, and automated login abuse. Since login endpoints are one of the most targeted areas of any application, this rule provides essential protection.

Anti Scraping
Detects and blocks scraping bots that harvest pricing, metadata, or content. This protects proprietary information, helps stop unfair competitive analysis, and prevents excessive bandwidth usage from unauthorized tools.

Form Submission Protection
Reduces spam and automated submissions on forms such as contact pages, signup forms, and checkout screens. This ensures that your business workflows remain clean and that real user submissions are not drowned in bot traffic.

Hostname Filtering
Allows or blocks requests based on the hostname used in the request. This prevents direct IP access, domain spoofing, or unexpected hostnames from hitting your origin directly.

Hotlink Protection
Stops external websites from embedding or displaying your images, videos, or other assets without permission. This is essential for saving bandwidth and maintaining ownership over your content.

Exclude from WAF
Allows trusted internal services, monitoring tools, or safe URLs to bypass the WAF entirely. Useful for health checks, cron jobs, and automated requests that don’t require scrutiny.

Block WP-Admin Access
Restricts requests to the WordPress admin path, preventing random bots from attempting to exploit known vulnerabilities in WP-Admin or wp-login.

Cookie Challenge for Abused IPs
Applies a lightweight browser check to suspicious IPs. It’s minimally invasive for real users but effective at filtering out bots.

CAPTCHA Challenge for Abused IPs
Enforces a CAPTCHA challenge when traffic looks harmful. This offers stronger verification when you want to be absolutely certain that the requester is a real human.

Block Sensitive File Types
Prevents access to backup files, configuration exports, logs, or other sensitive file extensions. This is crucial for preventing data leaks and reconnaissance attempts.

API POST Enforcement
Ensures that specific APIs accept only POST requests, blocking GET or HEAD requests that are often used for probing. This helps reduce attack surface and enforces correct client behavior.

Bypass Rate Limit for Internal APIs
Allows trusted internal endpoints such as health or status checks to bypass rate limiting. This prevents false rate-limit blocks that could affect uptime monitoring or internal automation.

1. Use shortcuts for rapid deployment
   These presets cover the most common attack patterns without requiring complex expressions.
   
   
2. Adjust based on real traffic patterns
   Monitor how your traffic behaves and disable or modify shortcuts that generate false positives or block legitimate users.
   
   
3. Stack shortcuts with custom rules
   Shortcuts work well alongside advanced custom expressions, giving you layered protection.
   
   
4. Be mindful of evaluation order
   Shortcuts run with high priority, so ensure they don’t unintentionally override rules you expect to apply later.
   
   
5. Always test before production
   Validate shortcut behavior in a staging or test environment to avoid unexpected disruptions.