How to disable security features in CF, but the traffic is still routed to CF?

What is the name of the domain?

What is the issue you’re encountering

I need to disable security for selected subdomain

What are the steps to reproduce the issue?

My site is using Wordpress.

  1. How to enable managed challenged only for selected domain or subdomain from all visitor? Ex:

/wp-admin/admin-ajax.php
panel.domain.com

or

  1. How to disable security features in CF for selected subdomain, but the traffic is still routed to Cloudflare? Ex:

/wp-admin (enable managed challenge/security enabled)
control.domain.com (disable managed challenge/security disabled)

I’m not quite sure if I understand your question.

If you don’t want requests going through Cloudflare’s Proxy at all, go to your Cloudflare DNS page and set the “Proxy Status” for the subdomain in question to DNS Only :grey:

This disables all Cloudflare features (other than basic DNS resolution).

Ok let me explain a bit.

My wordpress site server using a lot of CPU usage. Sometime up to 2000%, make my site too slow and cannot access.
After checking, too much request for /wp-admin/admin-ajax.php

So i want to enable managed challenge for /wp-admin/admin-ajax.php, what i did now is Security > WAF > Tools > and add managed challenge for Afrika and a few another country (as an example). My site CPU usage going low like <20% , i think it works already.

But the problem is my subdomain also effect with managed challenge and it make my subdomain not working properly.
I created page rules like these, but still not working.

I had to remove Country managed challenge to be able my subdomain works like normal, but the high cpu usage come again.

So how can i exclude managed challenge for selected subdomain, and enable managed challenge for certain URL only?

Wonder if you’ve got some news portal and having “most read” or “popular” widget? :thinking:

Might be it’s triggering or sending on each pagevisit, an “update” to the database when the newsposts are being cached as HTML and served, however despit crawlers and bots, and your regular visitors (traffic), it might be the case :thinking:

Otherwise, what do your log files on your web server/origin host say for admin-ajax.php? have you tried to troubleshoot who’s visiting admin-ajax.php so much by their IP addresses? Hopefully, you’ve got implemented a way to determine the real visitor IP address on your origin host, otherwise each IP address for each request would be shown as coming from Cloudflare network instead of the real visitor IP address.

Or you’re running some kind of a WooCommerce? :thinking:

Hi, i’m not running any WooCommerce for my website.

Just using Wordpress streaming theme, from what can i see the theme is using ajax function for player.

So back to my question, is there any step to deploy it?

Are you doing encoding on your server? :thinking:
If so, then it’s expected, however might be you’d have to switch to a better server if that’s the case and tune-up your streaming settings.

No, my site not doing any encoding, only Wordpress.

Then i embed the video from other server.

Your screenshot of the rule is bocking domain.com/* but the path you are concerned about is domain.com/wp-admin/admin-aja… whatever. Block the specific path if that’s what you are trying to achieve instead of a broad path to block anything

My setup is correct?

Bump, anyone?

You’d even challenge yourself and it’s going to be impossible for you to work with such WAF rule.

Rather vice-versa, block admin-ajax.php for non-admins, non-editors, non-authors.

If you’re on wp-admin and something of plugin or builder or Gutenberg needs admin-ajax.php, you would have issue.

So, URI Path doesn’t contain wp-admin (I am on homepage, my path is / or I read some article my path is /name-of-the-article/) and URI Path contains admin-ajax.php (and I am executing something with admin-ajax.php, but I am not logged-in, neither in WP-Admin area) with the action Block (then block such requests).

Otherwise, you can combine URI Path contains admin-ajax.php and the cookie, if Cookie doesn’t contain wordpress_logged_in_ then block (again, this could be bypassed as well from my point of view but, it’s not the case currently …).