Block Countries in Cloudflare While Allowing Search Engines

Sometimes you just want to stop traffic from a specific country—maybe spam, scraper traffic, or fraud—but you don’t want to upset Google, Bing and other genuine crawlers. Good news: Cloudflare can do this neatly. No WordPress plugin required.

Below is a simple, safe way we use at Techvila.

---

The idea in one line

Block country → but allow verified bots.
We’ll tell Cloudflare: “If it’s a known good bot, let it in. Otherwise, if the visitor is from Country X, block.”

You can do this with one rule or two rules. I’ll show both.

---

Option A (recommended): One rule that blocks country except known bots

1. Log in to Cloudflare → pick your domain.
2. Go to Security → WAF → Custom rules (older UI may say Firewall rules).
3. Click Create rule.
4. Give a name like: Block Country (Except Bots).
5. Expression (use the editor’s “Edit expression” option): (ip.geoip.country in {"XX"}) and not cf.client.bot
   • Replace XX with your country code(s). Example for Russia + China:
     {"RU" "CN"}
   • cf.client.bot is Cloudflare’s “Known Bots” check (verified search engine and other legit crawlers).
6. Action:
   • Start with Managed Challenge (less risky; humans get challenged).
   • If you’re sure, switch to Block.
7. Deploy.

That’s it. Verified Googlebot/Bingbot and other good bots will pass. Normal visitors from those countries will be blocked/challenged.

---

Option B: Two rules (Allow bots first, then Block country)

If you prefer step-by-step allowlist + block:

1. Rule 1 – Allow known bots
   • Name: Allow Known Bots
   • Expression: cf.client.bot
   • Action: Allow
   • Keep this at the top of your custom rules list.
2. Rule 2 – Block the country
   • Name: Block Country
   • Expression: ip.geoip.country in {"XX"}
   • Action: Managed Challenge or Block

Order matters. The allow rule must be above the block rule so bots aren’t stopped.

---

Scope it to only parts of the site (optional)

Maybe you only want to protect wp-admin or login:

• In the rule builder, add a URL condition, for example: (http.request.uri.path contains "/wp-admin") Combine with the country condition the same way: (ip.geoip.country in {"XX"}) and (http.request.uri.path contains "/wp-admin") and not cf.client.bot

This way, normal visitors from that country can read your blog, but they can’t hit the admin panel.

---

Testing: how to be sure it’s working

• Go to Security → Events / Firewall events and watch logs in real time.
• Use a VPN to simulate traffic from that country (from your phone or a test machine) and try to load the site.
• Don’t rely on changing only the User-Agent to “Googlebot”. Cloudflare’s Known Bots checks are smarter than just UA strings, so a fake UA won’t slip through.

---

What about Ahrefs, Semrush, etc.?

They are also “bots”, but not all are search engines. Many are verified and may pass cf.client.bot.
If you don’t want them, create an extra rule to Block their specific bot names or ASNs, or move them to a Managed Challenge. Keep the search engine experience clean and fair.

---

Quick FAQs

Will this affect my SEO?
No. Googlebot/Bingbot and other verified good bots will continue crawling normally.

Free plan or paid?
cf.client.bot (Known Bots) is available across plans. Bot Management scores (like cf.bot_management.score) are for higher plans—nice to have, not required for this setup.

Block or Managed Challenge—what to pick?
Start with Managed Challenge for a few days. If false positives are zero, switch to Block.

I locked myself out!
Whitelist your IP: Security → WAF → Tools → IP Access Rules (Allow). Or temporarily disable the rule.

---

Copy–paste expressions

• Single-rule (block country except bots): (ip.geoip.country in {"XX"}) and not cf.client.bot
• Two-rule method:
  • Allow bots: cf.client.bot
  • Block country: ip.geoip.country in {"XX"}

---

Need help?

If you’d like Techvila to set this up end-to-end—rules, testing, and a short report—just ping us. We’ll configure, verify, and optimise without installing extra plugins.