Help with conflicting security log information


I have recently been scanning over my logs and doing my best to harden up my wordpress install.

I just discovered something of interest and something I thought I should not really be seeing.

While physically observing my live (local security logs) wordfence I am discovering some hits to a URL I was quite sure should not actually be reachable via a “Contains” WAF rule

In my live local logs Ijust discovered while watching them the following

I was suprised to see such a request reach my local site logs while I am not showing any activity on the following WAF rule as it should be blocked these using “contains”

This is an indication to me that my contains wp-login.php is not working.

Sure, because your ands require the path to contain all these values, which is unlikely and also not the case here. You need or instead, however make sure that it properly placed, in particular because of your IP address. So you can’t just replace them but make sure the expression is properly formatted.

For example (path or path or path or path) and ip not.

But again, the documentation should have most on that as well as the search.

You want to pay particular attention to Rule operators and grouping symbols · Cloudflare Ruleset Engine docs

Again, documentation :wink:



I am not really sure of anything you said to be honest

From my understaing. If it was “equals” of course it wont work. However, using 'contains" from my underdstanding that anything that contains /wp-login.php should get blocked.

The reason I find the information you provided very conficting is due to this, Any why I thought this should have been working just fine.

( contains “” and not cf.edge.server_port in {80 443}) or (http.request.uri.path contains “cpanel” and ip.src ne x.x.x.x) or ( contains “cpanel.domain.tld” and ip.src ne x.x.x.x

Using the rule above for something else I have. Actually totally blocks an article URL I have my site that contains the word cpanel in the url. It is there to block people from getting to my cpanel via the standard cpanel port number on the end of cpanel hosted domains,

It contains. “Contains”


So. This is why I say the info provided and the “contains” rule seems toi do conflicting things as per documentation

So if " Contains" is blocking a wordpress post that I have on my site about cpanel and the word cpanel is in the URL then I would have thought that using “Contains” would also be blocking anything that contains wp-login.php.

I am sorry, but I really can’t follow what you just said. Where does the host or the proxy port come in in any of that?

We were talking about your expression and that you cannot use ands because this defines an expression, which cannot evaluate to true with your requests. The obvious solution is to fix this and use the proper ors instead, which is what I mentioned.

Again, please do pay attention to the documentation as that is all explained there as well, in particular precedence, which you will also have to use because of your IP restriction.

If you want to write expressions you should really get familiar with boolean logic.

What Boolean Logic Is & How It’s Used In Programming may be a good start.

The expression you posted with the port is very different and follows a completely different approach. There and works, in yours it does not I am afraid.

Perhaps you should start with simple rules.

Our current rules says if the URL contains foo AND the URL contains bar and the URL contains another thing and the source IP address IS not x.x.x.x. All of those ANDs can’t be true… well they can be, but you’re expecting them signularly to be true, which is why as @sandro mentioned they should be ORs.

Regex can be complicated even when people understand how regex works. There are online regex testers where you can use a sample string to see if your rule matches a particular phrase/string. It’s probably best to use one of those to validate the logic of your expression is correct before implementing a rule.


Ey, no regex dissing here :sunglasses:

But seriously, I am not sure where regular expressions came in, but, @matthew.giannelis, I am sorry I’d strongly advise you stay away from regular expressions for the time being, if you are not even familiar with fundamental boolean logic. Regular expressions are quite handy and can be beautiful, but it takes experience and if you are confused by basic boolean operators, they will certainly not contribute to further clarity. Also, they are not available on Pro plans.

Start with learning about boolean operators.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.