Even though I have set “Challenge Passage” set to 4 hours, I receive a Cloudflare Captcha page every time I e.g. click “Update” on a post in my WordPress dashboard (Path
/wordpress/wp-admin/post.php). This affects another employee as well.
Other settings that might be relevant:
- Security Level: Low
- Browser Integrity Check: On
- Managed Rules:
- Web Application Firewall: On
- Enabled Cloudflare Managed Rulesets: Cloudflare Misc, Cloudflare Php, Cloudflare Specials, Cloudflare Wordpress
- OWASP Rulesets: All except for Joomla, phpBB and “Tight Security”
- OWASP Ruleset settings: Sensitivity=Medium, Action=Challenge
I have tried to create a Firewall rule to explicitly allow logged-in Wordpress users, to no avail. (I would provide a screenshot, but new users can only attach a single screenshot.)
In the event log, I can see that the “allow rule” gets triggered on some pages, but a few remain with “Challenge”.
Here’s an example of which rules were triggered by one of the “Challenge” requests:
What’s the best way to keep benefitting from Cloudflare’s WAF without making my WordPress dashboard nearly unusable?