Bot Fight Mode appears to not be affected by IP Access Rules

Tagging onto an older set of posts about Bot Fight Mode (free plan):


as well as

I’m using Bot Fight Mode on a free plan. With Bot Fight Mode enabled, API calls from one of my plugins are being blocked, yet they appear to go through with Bot Fight Mode disabled.

I can find several connection attempts from the Event Logs for type ?wc-api=ORDER (transaction attempt API call) but none for ?wc-api=LINK (API status test).

When I enable Bot Fight Mode and I go to the plugin and click Save Settings, it makes an API status test call to their server and verifies if the connection goes through. It fails and says that API credentials could not be verified. I check the WAF Events log and am unable to find a single connection attempt.

When I disable Bot Fight Mode and I go to the plugin and click Save Settings, it succeeds however when I check the WAF Events log I am still unable to find a single connection attempt.

Now, when I enable Bot Fight Mode and wait for a transaction (successful or otherwise), I can see inside the logs that the connection got blocked because of Bot Fight Mode (in the top right of that connection entry. When I disable Bot Fight Mode, it says that Skip as the Custom Rules have permitted the connection to go through.

From what I understand from another thread, Bot Fight Mode cannot be skipped with Custom Rules for Free Plan users. Super Bot Fight Mode can be skipped. It is currently in the plans, but no indication on when Bot Fight Mode is skippable for Free Users.

In the threads above however, it seems to indicate that Bot Fight Mode can be circumvented by adding the IP’s to the IP Access Rules under WAF > Tools. When I add the IP’s to the IP Access Rules and I enable Bot Fight Mode, the API Test calls still fail, but they work when Bot Fight Mode is disabled.

This brings me to 2 questions:

  1. Why is it that the API test connections do not show up on WAF Events?

  2. Can Free Users use IP Access Rules to bypass Bot Fight Mode and if so, why does that not appear to be working in my test case above?

How long did you wait? It can take a few minutes for new events to show up there, I’ve found that changing the time frame to a shorter time can help.

My understanding, as per the docs, is any IP Access Rules will disable Bot Fight Mode entirely

BFM has limited control. You cannot bypass or skip BFM using Firewall Rules or Page Rules. BFM will be disabled if there are any IP access rules present.

If it is, for some reason, not disabling itself even with IP Access Rules Present, you manually turning it off would accomplish the same.

I would reiterate the same points that FAQ Entry raises:

  • BFM and SBFM are high security features intended to quickly help customers under active attack stop as many bots as possible. Due to the high security threshold, false positives do sometimes happen.

If you turned on BFM during an attack, and the attack has subsided, we recommend either disabling the feature…

That FAQ Entry is a bit old and recommends Enterprise Bot Management for more customization/exclusions, although as you know, these days you can create exclusions with Pro or higher’s Super Bot Fight Mode as well. I would follow the same general guidance though, to enable it when under attack and disable it otherwise, or just be prepared for false positives to happen.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.