Hi, I have bot mode turned on, and firewall rules to block bots except for Google bots, yet people are still using bots to hit my website.
From the screenshot you shared, it seems to me like server is trying to do something, including the default WordPress cron.
I’d rather allowlist the origin host/server IP at Cloudflare → Security → Tools → IP Access Rules with the action “allow”.
Nevertheless, make sure to correctly configure Wordfence to work with Cloudflare proxy to return the correct visitor IP address under the Global Options - > CF-Connecting-IP:
Can you share a screenshot of your Firewall Rules at Cloudflare too? 
Unfortunately, obviously it might be you have an interesting content.
Regarding WordPress Security & Cloudflare, below might be of help:
That looks a typical annoying bot looking for exploits.
If it’s the regular Bot Fight Mode in a Free Plan, it’s not going to catch all bot behavior. Mostly, it’s just there to slow things down:
Not until you get to Super Bot Fight Mode in paid plans does it begin blocking bots. Sometimes it’s overzealous and has a tendency to block some automated requests you might want to keep:
https://support.cloudflare.com/hc/en-us/articles/360035387431#5KX8t3C6SObnoWs5F6YOlU
What I do is create a Firewall Rule to block ASNs of hosts of such unwanted bots, but NOT for Known (Good Bots).
1 Like
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.