Bots attempting to log into WordPress from Cloudflare IPs

Hi everyone,

I’ve got an orange-clouded domain that has been chucking along just fine until about a week or two ago, when I started receiving 521 error code notifications stating that my origin server might be blocking Cloudflare traffic.

After checking the logs, I could see hundreds upon hundreds of attempts to GET and POST to the relevant /wp-login.php page on my domain, usually in groups of 5 or so. Many of the IP addresses are directly owned by Cloudflare, which led me to assume the two following possibilities:

  1. Either the bots were coming in from outside Cloudflare’s proxy/orange-cloud and the referring IP was not being logged somehow, or,
  2. The bots themselves were somehow configured to route all their requests from behind Cloudflare’s proxy and haven’t been detected as malicious yet.

Now, I thought I was being clever by hiding the domain’s /wp-login.php page behind a Cloudflare Access page (which works absolutely awesome, btw) but I just recieved yet another email from Cloudflare this morning with another 521 error code.
49%20PM

Other observations: I do not have any issues viewing the website and have not heard anything from any of my customers (yet). The server is a self-managed VPS without any changes to the underlying software stack for the past 5-6 weeks.

I would absolutely appreciate any help or suggestions in making sure I don’t blog legitimate traffic, while denying bots a chance to hide behind Cloudflare. Happy hump day!

1 Like

If it’s a self-managed VPS…hopefully everything on there goes through Cloudflare and you can configure the firewall to block anything that’s not a Cloudflare IP address:

Also, your logs shouldn’t show Cloudflare IP addresses if you’ve configured your server to restore Visitor IP addresses:

Thanks for sharing this, I learnt something today. What I do instead is use a Wordpress plugin to change the Wordpress login page URL to something else and I use a free Cloudflare Firewall rule to block /wp-login.php. It is very satisfying to watch 100s or 1000s of such attempts blocked at the Cloudflare edge. Alternatively you can deploy a free Rate Limiting rule targeting /wp-login.php.

To be clear, I still receive logs from other (non-Cloudflare) IPs. For example, my home connection. Is it possible for bots to hide their origin IPs behind Cloudflare’s network? i.e. using Workers to remove/reroute the origin IP for outbound traffic? Why would I get bursts of traffic from Cloudflare IPs trying to access my site (i.e. scanning for vulnerable plugins installed) unless someone set up their bots to hide behind Cloudflare?

This is another good idea! I develop tons of sites and also provide hosting, so keeping track of custom WordPress login slugs is an added obstacle. I’ll setup Cloudflare Access or at least a brute force limiter. Still, this is one of the best uses for Cloudflare’s firewall!

This topic was automatically closed after 30 days. New replies are no longer allowed.