Hello
I am trying to work out how to create WAF to block chosen counties from access to wp-admin and wp-login but I dont know how to write the expression
Can someone please post it here.
Thanks
Greetings,
Thank you for asking.
You’d need only for wp-login.php as far as /wp-admin/ is doing a redirection.
Furthermore, blocking resources from /wp-admin/ directory or locking them isn’t very usefull.
Example to restrict the access from multiple countries to the wp-login.php:
(ip.geoip.country in {"BA" "HR" "RS" "SI"} and http.request.uri.path contains "wp-login.php")
In my case, I usually have 2 Firewall Rules:
- Block all the request except if the request is coming from my country
- JS challenge all requests (just in case) - no need to add “from my country” here as I checked them using 1st rule already
As an example, in picture:
Expression:
(ip.geoip.country ne "HR" and http.request.uri.path contains "wp-login.php")
As an example, in picture:
Expression:
(http.request.uri.path contains "wp-login.php")
On the Firewall Rules list, this is how it looks:
Since you’re using WordPress, I’d suggest my post here as it contains a lot useful stuff:
1 Like
Hi there
So I should challeange my own country which is the only one I will be leaving open?
right?
Hi there
Sorry I was using only URL and not URL PATH
However, wordfence block is kicking in instead. Not the Cloudflare blocking
I beleive these counties I added should be seeing the Cloudflare blocking first no matter what
Hi thanks for the info.
I have done a test and configured the first part as such
(ip.geoip.country in {“AF” “AX” “AL” “DZ” “AS” “AD” “AO” “AI” “AG” “BD” “BW” “BR” “CO” “CG” “DK” “FJ” “IN” “MV” “PH” “RU” “SE” “AE” “GB” “US” “NL”} and http.request.uri eq “wp-login.php”)
Now strange thing
I also have wordfence plugin county blocking installed and running. In Cloudflare I have blocked Russia. I then connect to russia via VPN. I try to access to access wp-login from russia and the wordfence blocking page kicks in. Should that country not actually see the couldflare blocking page first?
This is an indication to me that my Cloudflare country blocking is not working. I would have thought they would see the Cloudflare blocking page first instead of the wordfence blocking page.
I have wordfence blocking in place also in case they get around the firewall IP and know my origin server IP
Regarding Wordfence and Cloudflare, make sure to correctly configure Wordfence to work with Cloudflare proxy to return the correct visitor IP address under the Global Options - > CF-Connecting-IP:
Nevertheless, maybe you’d need to check below article too:
I’d also suggest you to whitelist the origin host/web server IP at Cloudflare → Security → WAF → Tools → IP Access Rules with the action “allow” for your Website.
Hello
Thank you for this.
Can I ask. If I am using this setting, but an attacker knows my server IP and goes around Cloudflare, then the wordfence country block would no longer work right?
Wordfence would catch this, as it always has.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.