Disallow traffic from top hacking countries

(ip.geoip.country eq "CN") or
(ip.geoip.country eq "RU") or
(ip.geoip.country eq "UA") or
(ip.geoip.country eq "TR") or
(ip.geoip.country eq "TW") or
(ip.geoip.country eq "BR") or
(ip.geoip.country eq "RO")

: block

Disable xmlrpc

(http.request.uri eq "/xmlrpc.php")
: block

Discard all bot traffic to test subdomain

(lower(http.user_agent) contains "bot" and lower(http.host) eq "staging.example.com") or
(lower(http.user_agent) contains "crawl" and lower(http.host) eq "staging.example.com") or
(lower(http.user_agent) contains "fetch" and lower(http.host) eq "staging.example.com") or
(lower(http.user_agent) contains "parse" and lower(http.host) eq "staging.example.com") or
(lower(http.user_agent) contains "spider" and lower(http.host) eq "staging.example.com")
: block

Accept desirable bot traffic

lower(http.user_agent) contains "google" or
lower(http.user_agent) contains "bing" or
lower(http.user_agent) contains "yandex" or
lower(http.user_agent) contains "duckduckgo" or
lower(http.user_agent) contains "facebook" or
lower(http.user_agent) contains "twitter" or
lower(http.user_agent) contains "better uptime" or
lower(http.user_agent) contains "uptimerobot"
: allow

Reject all other bot traffic

lower(http.user_agent) contains "bot" or
lower(http.user_agent) contains "crawl" or
lower(http.user_agent) contains "fetch" or
lower(http.user_agent) contains "parse" or
lower(http.user_agent) contains "spider"
: block