I totally don't trust Cloudflare Pro Firewall

I totally don’t trust Cloudflare Pro Firewall
My site was hacked yesterday, they bypassed Cloudflare security and reached my site
I have a Wordfence firewall on my site, thanks to it I got rid of it
I’m starting to think Cloudflare isn’t working

Whilst Cloudflare does offer WAF and other security services, it’s generally not a replacement for security at your origin, especially with something as targeted as Wordpress.

Some initial things to get you started:

  • Do you have your origin exposed to the public internet, or do you only allow connections from Cloudflare? If it’s the former, then people will still be able to hit your site directly and work around Cloudflare.
  • Is your Wordpress installation completely up to date, as well as any plugins? If not, then that should be your primary focus and something you continue to maintain - Wordpress is one of the most popular things on the internet, so is a massive target for attacks.
  • How about other software on your origin? PHP version? etc.
1 Like

Thank you for your comment and reply.
My site is completely up to date
Php version 7.4
They bypassed the Cloudflare Firewall and reached my server Wordfence blocked it
I’ve seen that people who know the Cloudflare Firewall can bypass 100%
I’m 100% sure of that

Could you share the information that led you to this conclusion? Once again I’d like to ask:

  • Do you have your origin exposed to the public internet, or do you only allow connections from Cloudflare? If it’s the former, then people will still be able to hit your site directly and work around Cloudflare.

Yes, it is a public E-Commerce Site woocommerce
I blocked the attacker on Cloudflare asn and I blocked it as a user agent, however, Cloudflare continued to attack my site using the same ip and user agent, and it took about 15 hours.

I’d recommend reading through the “Secure origin connections” section of this:

https://developers.cloudflare.com/fundamentals/get-started/task-guides/origin-health/pro/

It sounds like you haven’t protected your origin server and are allowing connections from things other than Cloudflare. This will effectively mean people can work-around Cloudflare and just hit your origin directly once the IP is found.

Or somebody is using ripoff plugins/themes and has a backdoor that wordfence spots and Cloudflare doesn’t because it’s out of scope.

We’d need further evidence as to how the WAF was bypassed to make a clear assessment as to what might have gone wrong :man_shrugging:

2 Likes

I guess I didn’t understand
My site and DNS records are already set to orange cloud on Cloudflare
w2

I blocked but this ip address reached my site
r1

Just because your DNS records are :orange: doesn’t mean you can’t access the site by its IP address. Unless you use secure origin like @cherryjimbo said.

1 Like

Adding something like this to the htaccess file to allow only Cloudflare traffic will solve the problem?

RewriteEngine On
RewriteCond %{HTTP:CF-IPCountry} ^$
RewriteRule ^ - [F,L]

The specific problem hasn’t yet been determined, since you haven’t provided enough information for us to make that call.

As for securing your origin though, that snippet will not be effective, no. Checking a header is present is a very bad way to verify the requests are from Cloudflare, and could be bypassed very easily. Please re-read through https://developers.cloudflare.com/fundamentals/get-started/task-guides/origin-health/pro/ in regards to securing your origin.

2 Likes

As above, not all information is available but to be absolutely sure things wouldn’t bypass Cloudflare you have to set your site to only accept connections from these IP addresses, nothing else https://www.cloudflare.com/ips/

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.