Firewall rules blocking me

I just added a few firewall rules and was editing the site when I got a 1020 error, see screenshot : https://ibb.co/hs481wL
I setup all rules mentioned in this article :
https://turbofuture.com/internet/Cloudflare-Firewall-Rules-for-Securing-WordPress
I thought I allowed my IP address ( I didn’t find Whitelist so I chose allow ). Could it be that I entered the wrong IP address ? I didn’t really understand how can I find my IP address and what kind is it ( in the article they said that are several options in whitelisting your IP address but I couldn’t understand how to choose it and which one should I choose ).
Can you help me ?
Thank you in advance.

The ip below the prompt page is your ip address.

and what is the prompt page ?

Your screenshot

I just search google whats my IP address and got a number that says : Your public IP address, : so I allowed it.

OK, I’m now trying to allow the IP.

What ? I allowed my IP address that was mentioned in the screenshot, and when I refreshed the page my IP address changed !

OK, When I allow both IP’s I get access. If I get more 1020 errors I’ll just allow them. Thanks for the clarification !!

Whatever firewall rules you implement, you should not get blocked while visiting your site. WordPress has its own protections against human visitors trying to access privileged areas. It requires a login. You should be able to control bots by simply applying a Challenge (Captcha) to these areas. Plugins should not request URLs over the internet, they have direct access to your server. Therefore they will not be blocked by Cloudflare. If (and only if) you make use of a plugin that utilizes /wp-admin/admin-ajax.php at the front end of your site, you should then allow this specific path.

For a more robust protection to your /wp-admin/, /wp-login.php, and /xmlrpc.php areas, I’d recommend Cloudflare’s Access. You create one policy for each of these areas and only let in people who are authenticated by an Identity Provider, such as Google, Facebook, or an email to your own site. It’s free for the first 5 seats. If you need more seats, you can pay as you go. If you need many seats, you can think of other solutions, including Workers.

My site is a personal blog, so I’m the only worker:-). So how do I create this cloudflare access ? And can you describe which plugins utilize
wp-admin/admin-ajax.php ? And I think I got blocked because I whitelisted the wrong IP address. You’re saying I’m not supposed to be blocked at all ? But then how does Cloudflare block unwanted human visitors ? And you’re saying that all the referred rules in the article should be Captcha and not block ? Which exactly are supposed to be Captcha and which should be block ?

Thousands. You need to know whether any of the plugins you have on your site makes use of this. You can visit your site with Developer Tools open, and check the Network tab to see if this file is requested on the front end (your public site). Several plugins use this only on the back end, such as Redirection.

If instead of creating a rule to block /wp-login.php, you create an access policy, everyone be presented with an authentication page when they request those URLs. Only authenticated users will be allowed in.

You should create rules based on behavior. Study your origin server logs, see if you can identify patterns of unwanted visits, then create firewall rules accordingly.

An Access policy is for all practical purposes a block to anyone except authenticated visitors. Set them for your back end (/wp-admin/, login page etc) Rules on your Firewall Rules may be set to Challenge (Captcha) or block, it depends on the goal.

For instance you may create a firewall rule that challenges any visitors NOT coming from the countries your target audience is expected to be, and add an exception to known bots, and certain URLs. If a legit visitor is travelling abroad, they will be able to resolve the Captcha and see your site, which would not be possible with a block.

Something like this:
When incoming requests match…
(not cf.client.bot and not ip.geoip.country in {"US" "GB" "CA"} and not http.request.uri.path in {"/ads.txt" "/robots.txt"}

then Challenge

And couple that rule with a more strict one for bad behavior, one that will actually block visitors requesting URLs such as /admin/, /wp-config.php, /.env etc. Check your origin logs for recent attempts and create the rule accordingly.

Always visit your front end after enabling a rule and make sure all is working (forms, menus etc)

1 Like
  1. So about the configuring access policies article you sent me, I’m setting an access policy for all that contains wp-admin ? And I have no idea what my purposes are, I’m just doing what you say, should I set the access policy to Captcha or block ?
  2. I checked the inspect tool / network for plugins that utilize wp-admin/admin-ajax.php but I couldn’t understand how am I supposed to know that from the inspect tool?
  3. Study your origin server logs, see if you can identify patterns of unwanted visits, then create firewall rules accordingly ? I’m sorry, But I just installed Cloudflare and am a complete newbie, seeing this email was kind of a mindblow:-).
  4. “you may create a firewall rule that challenges any visitors NOT coming from the countries your target audience is expected to be” was this a mere example or do you recommend doing this ?

This topic was automatically closed after 30 days. New replies are no longer allowed.