I’ve been experiencing an issue with one of my plugins on WordPress, my providers support asked me to add a page rule to my Cloudflare configuration to disable all security and caching to their REST API endpoint but have now come back to me and said:
“…seems like Cloudflare is still blocking the request, and it’s assuming the request is a DDOS attack.”
Their original request:
“Cloudflare is blocking the rest-API request. You need to exclude blocking/ whitelist the request. Login to your Cloudflare dashboard and add page rules. See the attachment and replace yoursite.com with your website url.”
I believe I have done everything correctly but there must be something I am missing.
I’ve also added a firewall rule to allow traffic to any URI containing /wp-json/ and am seeing some traffic pass through that rule, but it doesn’t allow me to include multiple URIs in one rule so I can’t add each different endpoint without running out of my rule allowance?
Thanks for the swift reply sdayman. I have temporarily paused Cloudflare and confirmed that doing that fixes the issue so it looks certain to be a misconfiguration on my part. I have:
Added a “page rule” to disable security and bypass caching for any URI matching thehustlecommunity.com/fluent-support - this is the API instructed by my provider. Screenshot of my rule to verify my settings.
Added a page rule to bypass ALL caching across the entire domain. I have several caching solutions already I don’t want to conflict.
In the Firewall Activity Log, find one of the requests that was blocked and take a screenshot of the expanded log entry - if it was blocked by (Super) Bot Fight Mode, you can’t override that with firewall rules - only by whitelisting the IP address it came from in IP Access Rules.
I have checked in the firewall rule activity and I can see two JS Challenge entries relevant, screenshots below, but I can also see several ALLOWED entries that are relevant.
Yeah - Bot Fight Mode can’t be modified by Firewall Rules since it runs before the WAF in the traffic flow.
You can only blanket whitelist the IP address from all bot/WAF features - or disable Bot Fight Mode and implement your own firewall rules that act off threat score or challenge ASNs like Digital Ocean and Google (which are usually automated traffic).
As you can see - both the allowed and challenged URIs have the same root - /wp-json/ so I can’t understand why one would be allowed and the other challenged. But it also looks like the same type of request is challenged both times - the “push” to the API
I’ve just noticed that in my page rules it states that ONLY ONE rule will trigger per URI - so if both my rules match that URI then only the first one will trigger? Which means that all I was doing was disabling caching - but not disabling security on that second rule? Have I understood that correctly? And does the “disable security” include disabling Bot Fight Mode on that page?
Surely “Page Rule” hits before IP Access and then Bots no?
So my page rule, set to “Disable Security, Security Level: Effectively none” should bypass the Bot Fight Mode too no? Or is Bot Fight Mode not included in “Disable Security, Security Level: Essentially Off,”
Only IP Access Rules can bypass Bot Fight Mode - Bot Fight Mode could be compared to a big, indiscriminate hammer for automated traffic, there isn’t any way to customize it.
Bot Fight Mode is not included in Disable Security and Security Level is just Managed Challenges based on the threat score of an IP address.
Thank you.
