Cloudflare Challenge shown on every Wordpress post submit


Even though I have set “Challenge Passage” set to 4 hours, I receive a Cloudflare Captcha page every time I e.g. click “Update” on a post in my WordPress dashboard (Path /wordpress/wp-admin/post.php). This affects another employee as well.

Other settings that might be relevant:

  • Security Level: Low
  • Browser Integrity Check: On
  • Managed Rules:
    • Web Application Firewall: On
    • Enabled Cloudflare Managed Rulesets: Cloudflare Misc, Cloudflare Php, Cloudflare Specials, Cloudflare Wordpress
    • OWASP Rulesets: All except for Joomla, phpBB and “Tight Security”
    • OWASP Ruleset settings: Sensitivity=Medium, Action=Challenge

I have tried to create a Firewall rule to explicitly allow logged-in Wordpress users, to no avail. (I would provide a screenshot, but new users can only attach a single screenshot.)

In the event log, I can see that the “allow rule” gets triggered on some pages, but a few remain with “Challenge”.

Here’s an example of which rules were triggered by one of the “Challenge” requests:

What’s the best way to keep benefitting from Cloudflare’s WAF without making my WordPress dashboard nearly unusable?


If you’re on a paid plan, here are two changes I made to the WAF:

1 Like

Thanks; it looks like these are already enabled by default, and are enabled in my account:

Is there any way to check what exactly these rules entail, and/or a way for me to customize them?

closed #4

This topic was automatically closed after 30 days. New replies are no longer allowed.