Cloudflare Firewall for my website shows several visits under a “uablock” rule, i.e., user-agent blocking rule, that were nevertheless whitelisted instead of JS-challenged. This is a hacker attempting access to various php files, including: txt.php, system123.php, v4web.php and others.
I checked all my rules, and the only “Whitelist” action I have enbled are for Twitterbot, Facebook crawler and GTMetrix. The IP in case does not match any of those.
I have 4 Firewall Rules in place: Allow for known bots; JS challenge, challenge and block for 3 different cases. Also I have 8 UA and 4 IP rules in place with either Block or JS challenge.
The user-agent in case was supposed to be JS challenged either by one of my firewall rules based on country, or by the specific UA rule for this user-agent.
Any ideas of what could have gone wrong?