Firewall Rule is not blocking as I intended

Hey Community,
I have a problem with a firewall rule, that is not working as I hoped it would.
I’m trying to lock down the Wordpress Admin/Login.

To login/access you have to use Win64 and Chrome with at least version 1xx. Here is my setup:

Now, I still get requests like this one:
Requested: wp-admin/css/admin.php
User-Agent: Chrome 60.0.3112.107 | Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

It is definitely not containing Win64 and also not Chrome /1

Where am I going wrong?
Thanks for the help in advance!

You must make sure that all requests to your origin come from Cloudflare, and all other requests are denied by your origin. One way of doing this is by setting up Authenticated Origin Pull, please check the documentatin: Authenticated Origin Pulls (mTLS) · Cloudflare SSL/TLS docs

I should also say that the best way to protect your WordPress backend is by setting Zero Trust Access Application Policies. But like any other Cloudflare feature, it’s only going to work as expected when you restrict access to Cloudflare IPs only.

Thank you, cbrandt. We are employing Authenticated Origin Pull and we are blocking every IP except the ones from Cloudflare.

So I’m absolutely sure, the request came through Cloudflare. I probably made a mistake with the WAF-Rule. But I just don’t know what it is - this is why I’m asking for help here.

I copied your rule as is and tested it against one of my domains, and it worked correctly, blocking requests from curl for paths containing admin or login, but not for path admin-ajax. or when I changed the UA to one that included “Win64”.

I’d check if there are other WAF rules that could possibly lead to allow/skip action, and make sure the current rule is placed in the proper order. Also, check for any IP Access rules that may be at play. Last, make sure you don’t have any Transform Rule (which triggers before WAF) that may be altering the requested path somehow.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.