.BOT FIGHT MODE killed my API requests

Hi there;
Please refer to the logs below. This is not something that should be happening, correct? Even if all the rules are skipped, the webserver on the WAF is still banned.

Thanks for getting back in touch with those replication steps. The error is occurring because the login API request is being blocked by Cloudlfare on the Plesk server.

The response shows the HTML code from a Cloudlfare challenge page:

...document.createElement('script');cpo.src = '/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=858e4bd699b35330';...

HERE’s my reply to WHMCS

I have identified the cause of the unsuccessful API request. Here’s where I discovered the answer: Bots: Recognise and reduce automated traffic to keep malicious bots off your domain.

WHMCS; 51 IP address appears to have been blocklisted by BOT FIGHT MODE.

I turned it off because it was something new that Cloudflare recently implemented and I had no idea was turned on. Would you guys handle this with Cloudflare, or would the N-user handle this?

Bot Fight Mode (free version) cannot be skipped or bypassed via Rules or any other mechanism. I would expect it to block API Requests/automated traffic, the entire point of is to fight Bots and only allow humans. Pro or higher have Super Bot Fight Mode which can be skipped and configured more.

Important considerations you need to be aware of before turning on BFM or SBFM

  • BFM and SBFM are high security features intended to quickly help customers under active attack stop as many bots as possible. Due to the high security threshold, false positives do sometimes happen.
  • BFM has limited control. You cannot bypass or skip BFM using the Skip action in WAF custom rules or using Page Rules. BFM will be disabled if there are any IP Access rules present. If you turned on BFM during an attack, and the attack has subsided, we recommend either disabling the feature using IP Access rules to bypass BFM, or looking at Bot Management for Enterprise, which gives you the ability to precisely customize your security threshold and create exception rules as needed.
  • SBFM can be bypassed with IP Access Allow action rules. You can use the Skip action in WAF custom rules to specify where Super Bot Fight Mode should not run.

For Free w/ Bot Fight Mode, your only option is to turn it off.

Hi, I appreciate your feedback. Regarding your response, it appears that turning it off is the best alternative for free users. However, this is not really the best approach when the WHMCS API is restricted; instead, Cloudflare administrators should investigate further to determine what is happening and why this is happening. How can we get the Cloudflare engineers or dev teams to look further into the problem and provide a fix on their backend.

I don’t understand what you mean by that? The purpose of Bot Fight Mode is to block automated requests and bots. It’s working as intended. The main issue is just that you can’t configure it to allowlist those requests.

When Cloudflare announced being able to skip Super Bot Fight Mode (paid version) with Custom Rules, they stated at the end they would eventually bring it to free Bot Fight Mode as well: The Cloudflare Blog

Once that happens, it would be possible to allowlist the web server’s IP. Until then, as CF’s FAQ says, BFM has limited control, and is recommended to be enabled during an attack and disabled afterwards.

Hi there,
I appreciate your feedback and will attempt to clarify once more. After logging in, I went to the Manager Account (TAB) and inserted the IP address that was supposed to be permitted. But the path of the webserver (/detect-route-environment) User agent GuzzleHttp/7 - Query String = Query string

So why does it give us the option to disable it here:
WAF components to skip

All remaining custom rules

All rate limiting rules

All managed rules

All Super Bot Fight Mode Rules
More components to skip

Zone Lockdown

User Agent Blocking

Browser Integrity Check

Hotlink Protection

Security Level

Rate limiting rules (previous version)

Managed rules (previous version)

There is no option to skip Bot Fight Mode in the list you shared. That says Super Bot Fight Mode can be skipped. This was already explained in great detail by @Chaika

If you need to skip Bot Fight Mode, the only current option is to disable it altogether

1 Like


Thank you for your input. I see that the other person went into detail and examined all of the information.

I can view the information. I spent some time looking over this a few times, and WHMCS remarked that it was really unclear why they would use similar names. WHMCS; please respond by asking why there is no information about this or how it affects the WAF or any information in the control panel. It is very easy for people to become confused. Can we hand this off to them, or do we need to file a complaint with Cloudflare, please ask?

Hi @danny0809881

Please see the documentation here Get started with Bot Fight Mode · Cloudflare bot solutions docs

Read the section Limitiations.