Concern about actions after "managed challenge"

Website, Application, Performance Security
1

What is the name of the domain?

floresnocais.pt

What is the issue you’re encountering

I’ve noticed an increase in “managed challenges” in WAF events and the actions taken on my site have me worried. Here are some screenshots so you can see what these actions were and what measures I should take. Thank you

What is the current SSL/TLS setting?

Full

Screenshot of the error

screencapture-dash-cloudflare-6e707b3971a0d486fae0bd42f42369ff-floresnocais-pt-security-events-2024-08-11-22_14_23.png
screencapture-dash-cloudflare-6e707b3971a0d486fae0bd42f42369ff-floresnocais-pt-security-events-2024-08-11-22_14_23.png2847×6300 1.03 MB

2

More information about Managed Challenge actions could be read at the link from below:

In general:

Actions for “Managed Challenge”:

I hope the above helps a bit.

For a WordPress login, if it’s only you and/or few more users, I’d consider Zero Trust for login page :wink:

More usefull things for Cloudflare & WordPress:

1 Like
3

Hi @fritex

Thank you so much for the quick answer.
My concern is that js challenge is being passed by someone acting via “Tor” country and trying to access paths like this:

xmlrpc.php
/en/wp-content/uploads/p3d/evil.php
/en/evil.php
/en/wp-content/uploads/simple-file-list/evil.jpg

About xmlrpc.php i’ve already blocked it via custom rule. About the others, I don’t know if I should do something else.

For wp-login i don’t have zero trust but I have that path blocked by custom rule too.

4

If you’re not concern about having lower impact on the server CPU and strange “Tor” requests, I’d consider blocking the “T1”, Tor as Country in Custom Firewall Rule.

Knowing me and my colleagues using WordPress Dashboard never coming via TOR Web browser(s), I’d remove this risk and block all requests (even to my Website, not just WordPress dashboard) and eliminate any “bad traffic” and “bad players” out there :wink:

However, that’s not always the case.

The paths like you’ve stated, I’ve see them in my Firewall Evets as well.

If your origin host/server isn’t affected by some malware or there is no malicious code, no nulled plugins and themes, I’d say it’s just probing to find some of the “well known and existing” paths to execute those scripts and make harm to your Website and there are a lot of those kind of requests swimming on the network from different ASNs and providers, scanners, etc. which is good to block.

1 Like
5

Thank you for your advice. I’ll go ahead and try blocking Tor traffic as you suggested. I believe it’s the best course of action to reduce potential risks and eliminate any unwanted traffic to my site. I appreciate your input and will monitor the impact on server performance after making this change.

Thanks again!

1 Like
6

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.