Firewall rules not blocking URI path


I’m sorry if I am duplicating but I cannot find a post for this problem listed.

I have created some rules to protect my website following this guide: Cloudflare-Firewall-Rules-for-Securing-WordPress

Example rule:
(http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/xmlrpc.php”)
then BLOCK

What happens:
Using my mobile phone (wifi switched off) and an incognito browser I go to > Login page loads asking for my credentials.

What I expected:
To see the Cloudflare block page

Either wrong Cloudflare account or not proxied.

What’s the domain?

1 Like

Or whitelisted.

Thank you so much!! This was driving me nuts.

The answer: My root domain was not proxied (set to DNS only).
Now I’ve updated it I can see it working.