Allow Good Bots

The Allow Good Bots page lets you create a whitelist of trusted bots, crawlers, and third-party services. When enabled, these verified bots get unrestricted access to your site and skip all WAF rules meaning they won’t be blocked, challenged, or slowed down by your firewall.

Without this, legitimate services like Google Search, backup plugins, uptime monitors, or SEO tools might be blocked by stricter WAF rules (like “Block Crawlers” or “Challenge Cloud Providers”). This ensures your site stays functional and findable.

Allow Good Bots

Enable Allow Good Bots toggle this ON. This activates the entire whitelist system. If this is off, none of the categories below will take effect, even if individually enabled. The settings have an Enable All and Disable All button for quick bulk control, plus individual toggles for each service.

Cloudflare Verified Bot Categories

Allows bots that Cloudflare itself has verified and classified as legitimate through their automated system.

Services included:

• Accessibility (Allows assistive technology crawlers (e.g., screen reader validators) to access your site without restriction)
• Academic Research (Allows academic and research crawlers like Common Crawl. Disable if you want to restrict data harvesting)
• Advertising & Marketing (Allows academic and research crawlers like Common Crawl. Disable if you want to restrict data harvesting)
• Aggregator (Allows content aggregation bots (e.g., Feedly, Flipboard). Enable if your content is syndicated via RSS)
• AI Assistant (Allows AI assistant bots (e.g., ChatGPT plugins). Disable to prevent AI tools from reading your content)
• AI Crawler (Allows AI training crawlers (GPTBot, CCBot, Google-Extended). Disable to block AI model training on your content)
• AI Search (Allows AI-powered search engines (Perplexity, You. com). Disable if you do not want AI search indexing)
• Archiver (Allows web archive bots (e.g., Internet Archive/Wayback Machine). Enable to preserve your content history)
• Feed Fetcher (Allows RSS/Atom feed readers to fetch your content. Disable only if you do not publish feeds)
• Monitoring & Analytics (Allows analytics and monitoring bots to validate your site. Recommended to keep enabled)
• Page Preview (Allows link preview generators used by messaging apps to create rich previews)
• Search Engine Crawler (Allows major search engine crawlers like Googlebot and Bingbot. Disabling this will hurt SEO)
• Search Engine Optimization (Allows SEO audit tools to crawl your site for optimization insights)
• Security (Allows security scanning bots such as safe browsing and reputation checks)
• Social Media Marketing (Allows security scanning bots such as safe browsing and reputation checks. Recommended to keep enabled)
• Webhooks (Allows webhook delivery bots like Stripe, GitHub, and Zapier. Disable only if you do not use webhooks)

WordPress Backup Services

Allows popular WordPress backup plugins to access your site without being interrupted by the WAF

Services included:

• BackupBuddy
• BlogVault
• UpdraftPlus

If you use any of these backup plugins, enable them here. Backups often run via cron jobs or remote servers that WAF rules might flag as suspicious.

Website Monitoring Services

Allows uptime and performance monitoring tools to check your site regularly without triggering challenges or blocks.

Services included:

• BetterStack
• GTmetrix
• Pingdom
• StatusCake
• UptimeRobot

Enable any service you actively use. If a monitoring tool is blocked, you’ll get false “site down” alerts.

Performance & Image Optimization

Allows image optimization and CDN services to fetch and process your content.

Services included:

• Cloudflare Image Resizing
• Easy IO / ExactDN
• EWWW Image Optimizer
• FlyingPress
• Imagify
• ShortPixel
• TinyPNG

Enable any image optimization plugin/CDN you use. These services need to pull your images, optimize them, and serve them back. WAF blocking would break this.

SEO Crawlers

Allows SEO tools to crawl and analyze your site for rankings, audits, and backlink data.

Services included:

• Ahrefs
• Ahrefs Site Audit
• Majestic (MJ12bot)
• Moz Rogerbot
• Screaming Frog
• SEMrush
• SiteAuditBot
• SEMrush OCOB

Security & Malware Scanners

Allows security scanning services to audit your site for vulnerabilities without being blocked. Use these services for external security audits.

Services included:

• SiteLock
• Sucuri
• VirusTotal
• Wordfence

Social Media Previews

Allows social platforms to generate link previews (image + description) when your URL is shared.

Services included:

• Facebook
• LinkedIn
• Twitter / X

Remember, without this, shared links will appear as plain text without images or descriptions.

WordPress Management

Allows WordPress management tools and services to connect to your site.

Services included:

• Jetpack
• MainWP
• ManageWP
• GoDaddy Uptime Monitor
• WP Umbrella
• Allow Let’s Encrypt Verification (ACME)

Enable any tool you use to manage multiple WordPress sites from one dashboard. Allow ACME challenge verification for SSL certificate renewal when using Let’s Encrypt.

Deploy to Cloudflare

After configuring your bot whitelist, you must save and deploy to make it active on Cloudflare.

Deploy Rules: Pushes your saved settings to Cloudflare and activates them live
Preview Rules: Shows you the exact rule expressions that will be generated. Review before deploying
Remove Plugin Rules: Removes all WAF rules created by this plugin from Cloudflare
Zone Selector: Choose which Cloudflare domain (zone) to deploy to.

How Deployment Works From the Plugin:

1. Save your WAF settings first using the Save Changes button at the bottom of the page
2. Select the Cloudflare zone you want to protect
3. Preview Rules shows the current draft output, including source tags for each generated rule
4. Deploy Rules pushes only the saved plugin-managed rules and preserves unrelated Cloudflare rules

The plugin only manages its own rules. It won’t delete or overwrite any rules you created manually in Cloudflare.