I have applied a new rate limiting rule (20 requests/1 minute)

What is the name of the domain?

karlwinters.com

What is the issue you’re encountering

Is this activity abnormally high? How do I investigate further?

What steps have you taken to resolve the issue?

Within 24 hours, there has 13k+ activity. Is this considered a DoS attack? How can I investigate further? Expression: (http.request.uri contains “/wp-content/” and not cf.bot_management.verified_bot and not cf.verified_bot_category in {“Search Engine Crawler” “Search Engine Optimization” “Monitoring & Analytics” “Advertising & Marketing” “Page Preview” “Academic Research” “Security” “Accessibility” “Webhooks” “AI Crawler”})

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

Screenshot of the error

I’d say no need for Rate Limiting for wp-content, however since you’re seeing from the graph, it could be due to the crawlers, bots, scrappers and online bots and vulnerability scan websites.

Rather, just block direct access and requests for everyone trying to access, call, execute a .php file from wp-content (includes plugins, themes, uploads - mostly where some malicious script or malware is) and anyone trying to find some vulnerability with an online scan or other software & tools for such case, since by default noone should do it.

Use below custom WAF rule:

(http.request.uri.path contains ".php" and http.request.uri.path contains "/wp-content/")

Sharing lately post of useful scripts for WordPress security & protection at one place:

Thanks. Added WAF rule with .php.

I looked at the server log for a suspicious IP with 404s, and its showing many consecutive


.php visits in 24 hrs.
Do you recommend rate limiting on domain.com or WAF rule to mitigate?

Could you check by the IP and determine from which ASN are they coming? :thinking:

You can Challenge requests from such ASNs via Custom WAF Rule, or even better with IP Access Rules.

On higher paid plans, it makes sense more to use Rate limiting since you can combine, e.g. if request from the same IP and go to same Path are above 10 per second, then block for e.g. 1 hour.

Might be it’s a host from which you’re being scanned for any kind of vulnerabillity, they’re trying to spoof and find the particular file to CC your host as well.

I’d say best option is to combine WAF, IP Access Rules and Rate Limiting for your case.

Might be difficult to match all those kind of type of requests with limited 5 rules on a Free plan, therefrom upgrading to Pro you would be able to deal with them more efficiency and since you’d get Managed WAF Rules and OWASP as well, it’ll be much effective against those and the insights with detections would be much better for you.

IP is coming from AS396356. The IP does not have a good reputation: https[:]//www[.]abuseipdb[.]com/check/108.165.243.113

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.