If you don’t want requests going through Cloudflare’s Proxy at all, go to your Cloudflare DNS page and set the “Proxy Status” for the subdomain in question to DNS Only
This disables all Cloudflare features (other than basic DNS resolution).
My wordpress site server using a lot of CPU usage. Sometime up to 2000%, make my site too slow and cannot access.
After checking, too much request for /wp-admin/admin-ajax.php
So i want to enable managed challenge for /wp-admin/admin-ajax.php, what i did now is Security > WAF > Tools > and add managed challenge for Afrika and a few another country (as an example). My site CPU usage going low like <20% , i think it works already.
But the problem is my subdomain also effect with managed challenge and it make my subdomain not working properly.
I created page rules like these, but still not working.
Wonder if you’ve got some news portal and having “most read” or “popular” widget?
Might be it’s triggering or sending on each pagevisit, an “update” to the database when the newsposts are being cached as HTML and served, however despit crawlers and bots, and your regular visitors (traffic), it might be the case
Otherwise, what do your log files on your web server/origin host say for admin-ajax.php? have you tried to troubleshoot who’s visiting admin-ajax.php so much by their IP addresses? Hopefully, you’ve got implemented a way to determine the real visitor IP address on your origin host, otherwise each IP address for each request would be shown as coming from Cloudflare network instead of the real visitor IP address.
Are you doing encoding on your server?
If so, then it’s expected, however might be you’d have to switch to a better server if that’s the case and tune-up your streaming settings.
Your screenshot of the rule is bocking domain.com/* but the path you are concerned about is domain.com/wp-admin/admin-aja… whatever. Block the specific path if that’s what you are trying to achieve instead of a broad path to block anything
You’d even challenge yourself and it’s going to be impossible for you to work with such WAF rule.
Rather vice-versa, block admin-ajax.php for non-admins, non-editors, non-authors.
If you’re on wp-admin and something of plugin or builder or Gutenberg needs admin-ajax.php, you would have issue.
So, URI Path doesn’t contain wp-admin (I am on homepage, my path is / or I read some article my path is /name-of-the-article/) and URI Path contains admin-ajax.php (and I am executing something with admin-ajax.php, but I am not logged-in, neither in WP-Admin area) with the action Block (then block such requests).
Otherwise, you can combine URI Path contains admin-ajax.php and the cookie, if Cookie doesn’t contain wordpress_logged_in_ then block (again, this could be bypassed as well from my point of view but, it’s not the case currently …).