---

Blocking Countries from Accessing Your Website Using Cloudflare

Blocking access to your website based on a visitor’s country is something Cloudflare can do, but it’s also one of the most misunderstood and frequently misused security controls.

Cloudflare’s tooling, terminology, and best practices have changed over time. Many guides (including older ones) still reference “Firewall Rules”, even though Cloudflare has officially moved this functionality into Security Rules. In addition, recent community discussions and Cloudflare documentation clarify that country blocking alone is rarely an effective long-term solution for spam or abuse.

This guide explains:

• How country blocking actually works in Cloudflare today
• When country blocking makes sense
• Better alternatives for stopping spam without restricting legitimate users

What “Country Blocking” Really Means in Cloudflare

Cloudflare does IP-based geolocation, not user identity verification. When a request reaches Cloudflare’s edge:

• Cloudflare maps the visitor’s IP address to a country using its GeoIP database
• That country value is evaluated in security rules
• Actions such as Block, Managed Challenge, or Allow are applied

Important limitations:

• IP geolocation is not 100% accurate
• VPNs, proxies, and Tor can easily change a visitor’s apparent country
• A “blocked country” does not equal a “blocked attacker”

Because of this, Cloudflare and security professionals generally recommend layered controls, not blanket country bans.

Important terminology update

Cloudflare no longer uses “Firewall Rules” as a primary feature.

In the current Cloudflare dashboard, country blocking and similar controls are handled through Security rules.

If a guide instructs you to create a “Firewall Rule,” it is using outdated Cloudflare terminology and does not reflect the new dashboard or workflow.

When Blocking Countries Does Make Sense

Blocking access by country can be reasonable if:

• You must comply with legal or licensing restrictions
• You are responding to a temporary, region-specific attack
• You want to protect specific areas (admin, login, APIs)

It is not ideal if your main goal is stopping spam.

How to Block Countries Using Cloudflare Security Rules (New Dashboard)

Step 1: Log in to Cloudflare

Sign in to your Cloudflare dashboard and select the website you want to protect.

Step 2: Go to Security Rules

Navigate to: Security → Security rules

Step 3: Create a New Rule

Click Create rule (top-right).

• You can create a rule from scratch or use templates
• Enter a descriptive rule name, for example: Block Russia

Step 4: Define When Requests Match

Under When incoming requests match, configure:

• Field: Country
• Operator: is in
• Value: Select one or more countries (e.g. Russian Federation)

To block multiple countries:

• Add more countries in the value field, or
• Use multiple conditions joined with OR

Behind the scenes, Cloudflare evaluates: ip.geoip.country

Step 5: Choose the Action

Under Then take action, select one:

• Block – immediately deny matching requests
• Managed Challenge – show a browser/CAPTCHA challenge (recommended for most sites)
• Log – monitor traffic without blocking

Step 6 (Optional): Configure a Custom Response

If you choose Block, you can optionally configure a custom response:

• Response type: HTML, Text, JSON, or XML
• Response code: Any HTTP status from 400–499 (default is 403)
• Response body: Up to 2 KB

Custom responses are available on Pro plans and above.

Step 7: Deploy the Rule

Click Deploy to activate the rule immediately, or Save as Draft if you’re not ready yet.

Rules apply globally within seconds.

Important Notes Before Using Country Blocking

• Country blocking applies to your entire site
• VPNs and proxies can bypass it
• Legitimate users and search crawlers may be blocked
• It is best used for compliance or temporary mitigation, not spam prevention

If your goal is stopping spam (especially form spam), form-level filtering is usually the better option.

Alternative: Control Countries and Stop Spam with OOPSpam

OOPSpam (that’s us 👋) lets you restrict countries where it matters (forms) while also blocking spam using behavioral and contextual detection. Unlike Cloudflare’s site-wide country blocking, OOPSpam combines country controls with advanced spam filtering, so you don’t have to choose one or the other.

How to Use OOPSpam for Country Blocking 

Step 1: Install and Connect OOPSpam

Install the OOPSpam Anti-Spam plugin (WordPress) and connect via API. 

Create an account at OOPSpam.com and copy your API key. Paste it into OOPSpam → General Settings.

Step 2: Enable Form Protection

Turn on spam protection for your forms (e.g. WPForms, WS Form, Gravity Forms). This ensures all submissions are checked before being saved.

Step 3: Configure Country Filtering

Go to OOPSpam → Settings → Country Filtering and choose one of the following:

• Trusted Countries – Always allow submissions from selected countries and skip spam checks (useful for low-risk regions or where your business operates)
• Country Allowlist – Accept form submissions only from selected countries
• Country Blocklist – Block submissions from selected countries  (Trusted Countries always override this)

Save your settings once complete.

Key advantages:

• Country allowlists and blocklists at the form level
• Trusted Countries to prevent false positives
• VPN, proxy, and TOR blocking
• Rate limiting and language filtering
• Contextual, behavior-based spam detection
• Logs and monitoring for visibility

Your website remains accessible, and only spam submissions are blocked.

Final Thoughts

Blocking countries with Cloudflare is possible, but it’s not the silver bullet many guides make it out to be.

Use country blocking when you truly need it. Use OOPSpam when your goal is stopping spam without blocking real users. If you want a secure site that stays accessible worldwide, focusing on behavior-based spam detection is usually the smarter choice.