403 error at the Wordpress admin dashboard

Website, Application, Performance Security
1

What is the name of the domain?

https://www.invorderingsbedrijf.nl/

What is the error number?

403

What is the error message?

403 Forbidden

What is the issue you’re encountering

When I go through the pages of the form plugin in the admin dashboard, Cloudflare blocks my ip and gives a 403 page. It has started very recently.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

Screenshot of the error

image (2).png
image (2).png1253×401 13.2 KB

2

I am not aware for any /wp-admin/admin.php to be legal request, I question if the admin.php file should be requested from any plugin you’re using :thinking:

Except, some plugins like Yoast, WP Mail SMTP, W3 Total Cache, etc. do use admin.php.

Looks more to me like a legitimate blocked request since that might be a case where Cloudflare security triggered it as if it tought it is some kind of a known behaviour and path for vulnerability scans.

May I ask if you’re using free or paid plan type?

Which plugin is it that is looking for admin.php file inside wp-admin directory?

I’d suggest you to scan your web hosting for any malicious code or possible malware.

I’d suggest you to double-check the Security → Events at Cloudflare dashboard under your Cloudflare account for your zone.

You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered. Could be Managed Rules my best guess, otherwise Bot Fight Mode or Browser Integrity Check.

Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?

  • you should see your origin host/server IP out there and user-agent like WP-cron or WordPress/version

Just in case if you encouter some issues and/or errors, since it’s related to the WordPress, I’d suggest you to allowlist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.

It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin which triggers the WAF rules (as it should normally).

3

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.