Firewall issues

Hello Team cloudFlare,
I am having some issues with Firewall rules, I have created 2 firewall rules but after creating these rules every hour it’s blocking one resources In every country & that is /wp-admin/admin-ajax.php
Pls check these images

And what is the issue?

Also, it is not clear what these rules are. You need to screenshot of their details.

Issue is why it’s blocking every country location by same path Uri /wp-admin/admin-ajax.php
Here is the followed screenshot

The first rule will block all non-US requests which contain “/wp-admin” (be that on the root directory or lower). Is that not intended?

Based on my experience, the first rule should be replaced with an Access Policy to authenticate legit users. This will block access to anyone who’s not previously authorized, no matter their country of origin.

The second rule, if the intention is to prevent direct access to vulnerable plugin files could be written like this:

URI Path contains “.php” AND
URI Path contains "/wp-content/
then Block (or Challenge etc)

Matching against referrer is very difficult to implement, as some of your legit traffic may have an empty or a “-” referrer.

If you want to implement other WordPress firewall rules, here a post with some good ones.

sir
as a beginner i am following one guide, https://onlinemediamasters.com/cloudflare-settings-for-wordpress/
https://onlinemediamasters.com/cloudflare-settings-for-wordpress/#firewall

i have checked this earlier and these 2 articles too… https://onlinemediamasters.com/cloudflare-settings-for-wordpress/#firewall

1 Like

These are certainly very popular blogs and I’ve followed Online Media Masters’ recommendations on other subjects (caching plugins etc) to good results.

I’ve come to prefer using Access to protect /wp-admin, since it casts a wider net, but if you are set on using a Firewall Rule, then the one spelled out by the TurboFuture link should avoid the issue you are pointing to, as it expressly bypasses the Ajax URL (as well as the theme editor URL):

(http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")

In general, I don’t like the idea of blocking countries. I have a rule that JS challenge countries, but I only implemented if after whitelisting some of the crawlers I need to let in. As cloud computing has become a reality these days, there are many services that depend on a network of computers spread all over the world. Facebook and Twitter, for instance, are both not listed as a “known bot” in Cloudflare’s list, and they use servers in Ireland and elsewhere to crawl websites. So you may be losing some social network mojo if you block a large number of countries, unless you whitelist their crawlers.

I’d rather use behavior-based rules, such as “if visitor wants to get to a PHP file inside /wp-content/ folder, block visitor”, and for this kind of rule you don’t need to worry about whitelisting specific crawlers.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.