Sorry, you have been blocked You are unable to access surdelsur.com
What is the issue you’re encountering
cant login to my site
What steps have you taken to resolve the issue?
When I disable the custom rule I can log in to the backend
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)
What are the steps to reproduce the issue?
This is the custom rule and it was working perfectly fine until I changed my old IP to my new IP
(ip.src ne 45.77.196.122 and ip.src ne 186.22.17.245 and http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php") or (http.request.uri.path contains "wp-config.php") or (http.request.uri.path contains "license.txt") or (http.request.uri.path contains "wp-activate.php") or (http.request.uri.path contains "readme.html") or (http.request.uri.path contains "wp-load.php") or (http.request.uri.path contains "wp-settings.php") or (http.request.uri.path contains "/iconos/") or (http.request.uri.path contains "mraid.js") or (http.request.uri.path contains "php.ini") or (http.request.uri.path contains ".user.ini") or (http.request.uri.path contains ".php" and http.request.uri.path contains "/wp-admin/") or (http.request.uri.path contains "phpinfo.php") or (http.request.uri.path contains "adminer.php") or (http.request.uri.path contains "wlwmanifest.xml") or (ip.geoip.country eq "SG") or (http.request.uri.path contains "/?doing_wp_cron=") or (ip.src in {172.160.0.0/11})
Is this the IP address of your internet connection, or your server? If your internet connection, did you update the rule to use your new IP address? I assume that’s set here…
Use OR instead of AND here.
The request cannot come and contain both IP addresses.
It’s either 1st or 2nd IP address in the request or neither of those two.
Since not equal, use “IS NOT IN” instead to group them together.
(not ip.src in {45.77.196.122 186.22.17.245} and http.request.uri.path contains "/wp-login.php")
The other part Singapore is wrong: or (ip.geoip.country eq "SG")
Corrected is:
(ip.src.country eq "SG")
Full corrected expression rule:
(not ip.src in {45.77.196.122 186.22.17.245} and http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php") or (http.request.uri.path contains "wp-config.php") or (http.request.uri.path contains "license.txt") or (http.request.uri.path contains "wp-activate.php") or (http.request.uri.path contains "readme.html") or (http.request.uri.path contains "wp-load.php") or (http.request.uri.path contains "wp-settings.php") or (http.request.uri.path contains "/iconos/") or (http.request.uri.path contains "mraid.js") or (http.request.uri.path contains "php.ini") or (http.request.uri.path contains ".user.ini") or (http.request.uri.path contains ".php" and http.request.uri.path contains "/wp-admin/") or (http.request.uri.path contains "phpinfo.php") or (http.request.uri.path contains "adminer.php") or (http.request.uri.path contains "wlwmanifest.xml") or (ip.src.country eq "SG") or (http.request.uri.path contains "/?doing_wp_cron=") or (ip.src in {172.160.0.0/11})
Looking for a solution I found these example rules that look very clean and much more elaborated than my rules. https://webagencyhero.com/cloudflare-waf-rules-v3/
They add a layer of security to the login page by blocking bots, not humans.
I have one more question how can I block this kind of request:
GET /index.php - User enumeration scan (author archives)
GET /index.php - SQL injection
GET /index.php - Directory traversal
GET /index.php - Bogus user-agent signature
Is it safe to block the access to the index.php file?
Have you tried splitting it into smaller chunks and testing what you want to achieve?
Allow only your IP, onto what request, which, and where for the path or multiple files?
Are you able to filter out all countries except your own for wp-login and then JS Challenge even your country after all the others are blocked?
Cloudflare Access fits your needs if only you or a few members need access to WP login area:
Or it’s about public forum or board, or even some e-commerce webshop, and it’s not the case?
Below might help (sharing part from mine):
(http.request.uri.query contains "author" and not http.request.uri.path contains "wp-admin")
(http.request.uri.query contains "author_name")
Furthermore, disable /wp-json/ if not used in general, limit access to which parts of WP JSON should all or some be allowed to access (either logged-in users only, or some of the members, or noone) either via WordPress plugin or add part of the code into your functions.php file of your theme, or block access via WAF rule.
Block access to the /wp-json/wp/v2/users via WAF rule via code example:
Have you got Free or paid plan type like Pro? Pro has got great improvement in the WAF such as Managed Rules, OWASP and more which you can adjust and tune-up as needed.
(http.request.uri contains "?%00") or (http.request.uri contains "eval") or (http.request.uri contains "base64") or (http.request.uri contains "var_dump") or (http.request.uri contains "<script") or (http.request.uri contains "%3Cscript") or (http.request.full_uri contains "<?php") or (http.request.uri contains "GLOBALS") or (http.request.uri contains "REQUEST")
You can add up the DROP for example, or %, or SELECT(, UNION( etc.
Keep index.php files empty on directories and disable directory listing on your web server Apache or Nginx or some other.
Example as:
(http.request.uri contains "passwd") or (http.request.uri contains "../../")
Block empty user-agents and more:
(http.user_agent eq "" and not ip.src in {your_origin_webserver_ipadr})
Remember, you’re limited with 4096 characters per Custom WAF Rule, so in Free plan you have to combine to fit into the 5 rules in total, while with Pro plan you’ve got even more WAF rules (25), easier and better combinations and much better to go with Managed Rules which you can enable, disable and tune-up as needed with a single click, no need to worry about SQLi and more things.
Helpful:
Block ASNs directly via IP Access Rules and spare Custom WAF Rules:
More cool stuff here:
Depending how your web server is configured, is the URL structure using index.php such as Joomla or rather rewrites configured on index.php and it’s not seen in the URL address bar? (if accessing directly, it’ll be blocked, otherwise shouldn’t be blocked - you can block in such case)
Block HTTP/1.0 requests as well: (http.request.version eq "HTTP/1.0")
Block TOR (T1) country: (ip.geoip.country eq "T1")
Block direct access to any .php file inside wp-content (includes plugins, themes and uploads): (http.request.uri.path contains ".php" and http.request.uri.path contains "/wp-content/")
Add Cloudflare Turnstile widget to your wp-login.php via plugin or manually:
Disable the user registration, remove unnecessary links from wp-login page - either with plugin or manually via functions.php of your active theme.
You can even test yourself, online WPScan, track your Security → Events, then block the ASN so noone can run tests from those online tools such as WPScan and similar.
Takes some time, but pays out once you’ve figure it out the WAF rules which fit your case
When trying to access the login window I receive a warning message from Cloudflare. This has happened since I changed the access IP. Before I didn’t have any problem, so no, I didn’t split the rule, because before with my old IP, it worked fine.
I have the Ninja FW plugin protecting the site, it is a stand-alone firewall that stands in front of WordPress , however, I was looking to block most of the threats at Cloudflare level
