Now, I still get requests like this one:
User-Agent: Chrome 60.0.3112.107 | Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
It is definitely not containing Win64 and also not Chrome /1
Where am I going wrong?
Thanks for the help in advance!
I should also say that the best way to protect your WordPress backend is by setting Zero Trust Access Application Policies. But like any other Cloudflare feature, it’s only going to work as expected when you restrict access to Cloudflare IPs only.
I copied your rule as is and tested it against one of my domains, and it worked correctly, blocking requests from curl for paths containing admin or login, but not for path admin-ajax. or when I changed the UA to one that included “Win64”.
I’d check if there are other WAF rules that could possibly lead to allow/skip action, and make sure the current rule is placed in the proper order. Also, check for any IP Access rules that may be at play. Last, make sure you don’t have any Transform Rule (which triggers before WAF) that may be altering the requested path somehow.