Known malicious User-Agents Not blocked


I have a feeling I may have a misconfigured firewal (WAF)

My local wordfence firewall is detecting some Known malicious User-Agents. However, it was of my understanding that Cloudflare services should be blocking these before reaching my website.

I can only think of three possiblities in this case.

  1. Wordfence has detected a false positive.
  2. The malicious User-Agent is not known to Cloudflare
  3. My WAF settings are not configured correctly

Currently, I have a Cloudflare pro account with :

Super Bot Fight Mode Turned On -
Definitely automated - BLOCK
Verified Bots - Allow
Security Level - Medium.
Static resource protection - ON
Browser Integrity Check - ON
OWASP ruleset. - Managed Rules For Wordpress - ON

In this case, should have Cloudflare WAF not allowed this to reach my site - How did it get passed c/f with all this security turned on?

India was blocked by firewall for Known malicious User-Agents at http:// /wp-includes/wp-22.php

3/17/2023 2:19:57 PM (16 minutes ago)

IP: Hostname: host. oceanlinerservices. com

Human/Bot: Bot

Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

Maybe if this guy is not in your security database you could add it? Or is it possible I have missed something that would stop these critters at the cloud instead of my local firewall catching it ?


Actually, it looks more like Wordfence has “learned” that this visitor is spamming your site. According to Wordfence documentation, the plugin does most of its blocking based on IP activity, not user agent.

Cloudflare does not maintain a list of good or bad user agents. Instead, it uses for its Security Level and other threat-score based services a constantly evolving list of IPs. But you can block this visitor, either through their IP address or user agent, by creating a WAF/ Firewall Rule (aka WAF Custom Rules).

Hi thanks for the feedback

Why would cloudlfare not have learned the same lesson?

Also, its accessing a UR stucture I would have thought due to my current Cloudflare prorections and my manally confugred firwall rules this should have been stopped at the cloud WAF.

Could someone maybe take a look at me current blocks and see the URL (should have been blocked) was able to get to my site ?


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.