Ip addresses bipassing cloudflare

I have an issue where some ip addresses I have blocked are still accessing my website somehow. How is this possible? What can I do to fix it?

If I do that won’t someone be able to access the website using an application that is being used with Cloudflare or is Cloudflare only a one-way connection? Can a VPN service use a Cloudflare
to mask their Ip?

Sorry new to this

Are you worried in case if someone acting as a “bad person” using Cloudflare WARP could “still” access your website when you enable/allow Cloudflare IPs?

sandro - fishinginmiami.com

I am using wordfence and it tells me when someone is trying to hack the site so I usually add these ip addresses to Firewall/tools.

Is there any way to use Cloudflare to block direct access to the server? For example, instead of using Cloudflare on the domain, I would use the ip address of the server?

I also see that some people are accessing the http version instead of the https version. I have a redirect from all http to https how are they able to reach the http version of the site if I have a redirect in place?

fritex - yes

Just to add a note, may I suggest selecting the “CF-Connecting-IP” option first at Wordfence settings to determine the correct visitor IP.

yes I have that enabled but from some articles I’ve read online it says that it doesn’t work all the time.

If the server is used only for web, possibly yes.
There is a way to allow either only Cloudflare IPs and block everyone else.
But, I am afraid not completly.
Even if you are going to try out and use cloudflared tunnel, where for example if using a webshop which needs to have a port for SMTP open to send out emails or connect to the external mail server. So, closing all the ports at the origin is out of the question in this case.

If interested for additional information about this, kindly re-check if Cloudflare is allowed to connect to your origin host to as follows in the below article:

Nevertheless, Cloudflare IP addresses list can be found here:

Other way would be to setup some custom-made Cloudflare Firewall Rules, or use some of the existing or combination of them, for WordPress security & protection.
Nevertheless, you could try out a Pro plan and Web Application Firewall and Managed WAF Rules which you can enable with a single click to protect your WordPress (not just admin area, rather more of it in terms of possible vulnerabilities, scans, etc.).

Pro plan offers “Web Application Firewall” (Managed WAF Rules), “Cloudflare Managed Ruleset” and “Package: OWASP ModSecurity Core Rule Set” which we can enable with a single click and configure per demand :wink:

Combining this with custom Firewall Rules and other security & protection options we have at Cloudflare, per our need, we get a really good one.

Despite of this, Pro plan has got an option to “Configure Super Bot Fight Mode” to challenge “Definitely automated” bots.

Furthermore, you can use Firewall Rules to block Amazon AS numbers - there are multiple as far as I remember - and even more like old HTTP/1.0 requests, or block some known “bad” user-agents, crawlers, etc.

Under the Firewall Setings, you can set the Security Level, Challenge Passage, enable Browser Integrity Check and few others.

You could also track your Firewall Events and check for any suspicious or being challenged or blocked, that way you can tune-up and adapt your security settings as you need.

Using Cloudflare Scrape Shield, you can protect written e-mail addresses in your HTML content of a webpage by enabling Email Address Obfuscation for example.

I am sharing my settings at the below screenshots from which you can compare with yours and analyze :

Is this related to the WordPress admin area or? You can allow specific IP or IP ranges if that’s the case, either I would prefer using Cloudflare Access for your WordPress admin dashboard, but okay, it can be also secured by using a Firewall Rule to allow only your own “VPN” IP address in case you are using some to the admin, while the access to the website would still be normal to the other people (whom aren’t going to be blocked due to some other factors like if you are blocking some specific user-agents, bad bots, etc.).

For example, in my case and my example I am blocking the three “Amazon” ASN numbers with Firewall → IP Access Rules as follows (in my post from below you can find a thread about “good” vs “bad ASNs” which you can freely block or challenge on your need:

May I ask do you see this information under the SSL/TLS tab of Cloudflare dashboard for your domain or rather at the origin host/server, in the log files, or maybe through the Wordfence “Live Traffic” tab?

  • at the SSL/TLS tab of Cloudflare dashboard there will be always some HTTP requests and if you correctly choosed SSL options (see below) they will be redirected to the HTTPS which is why they are counted as HTTP there …

Your DNS records under the DNS tab of Cloudflare dashboard, like A yourdomain.com and A www (or CNAME if using that kind of a setup), should be proxied and set to :orange:.

If you do not have configured HTTP to HTTPS redireciton you would have multiple issues even for the SEO and duplicated content, etc.

The best case scenario would be for you to have an valid and installed SSL certificate at your origin host/server and select Full (Strict) SSL under the SSL/TLS tab of Cloudflare dashboard for your domain.

In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare Origin CA Certificate:

Kindly have a look here for more information regarding correct SSL settings at the SSL/TLS tab on Cloudflare dashboard:

Nevertheless, under the SSL/TLS tab → Edge Certificates, enable the Always Use HTTPS and Automatic HTTPS Rewrites option.
Make sure the Minimum TLS version option is set to 1.2.

In terms of securing your WordPress Website by using Cloudflare, there are multiple ways to achieve this, and there are some differences between the Plan you are using.

Therefore, some Firewall Tips are published here:

Using the search :search: :

Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection:

As far as I see you are using WordPress, kindly may I suggest below article as it cointains really good examples and reference to other posts and external links of Firewall Rules for WordPress and similar useful stuff:

Could depend, if we are using shared hosting and some combination of “web servers” like Litespeed and Engintron while using cPanel, at least from my experience, even I was getting blocked from Wordfence despite of my country being correct and allowed - this has nothing to do with CF-Connecting-IP header, rather the possible database not being update at Wordfence plugin / PHP module at hosting (which you might not have a control of like maxmind geoip etc.).

I do not believe they would “live” long as they would defeinetly abuse Cloudflare network and I assume they would be blocked from acces / using it.

awesome thanks for all your help. I will have to research all of the info you provided.

Right now im using:

(http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains “/wp-admin/theme-editor.php”) or (http.request.uri.path contains “/wp-content/plugins/” and not http.referer contains “fishinginmiami.com” and not cf.client.bot) or (http.request.uri.path eq “/wp-comments-post.php” and http.request.method eq “POST” and not http.referer contains “fishinginmiami.com”)

to block access to wordpress admin area

Yep, me to, just added a small change to the Firewall Rule like if request not from my home country to the wp-login, block it → addition to that, next Firewall Rule after it challenges (JS challenge), meaning I allow only requests to wp-login from my country but all of the requests are challenged + using Google ReCaptcha on the wp-login form (another layer of protection), and using Rate Limiting rule to protect my wp-login :slight_smile:

  • advantage: small country … if someone wants to do some bad harm from my country, it’s attempts are logged at the origin host and blocked …

In terms of the IP, someone could be smart and try out to access it using a VPN by selecting my country, but (unfortunately for them) I’ve already blocked all of the providers so far, that way they are blocked in advance in case someone wants to try that way to sneak up :wink:

  • you can add a criteria to your existing one for example, if http request path wp-login.php and not ip.src Your_IP if that’s appropriate way for you (if you have got a static IP or using a VPN service with always the same IP)

Either that way but be careful (take a look at the post from below), or as I already mentioned using Cloudflare Access:

In terms of using Cloudflare WARP and blocking/challenging users using them to access your website, I might not be so experienced as far as if you challenge or block Cloudflare, you could end up having other issues.

Kindly and patiently wait for a reply from someone else being more experienced in this field. I believe and would suggest @sandro who might have some great tips and tricks to share for the security part.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.