Malicious bot not blocked by CF

the issue I’m reporting is about domain
Yesterday I found on Apache access logs some entries that I’m reasonably sure are coming from a malicious bot: they are in fact scanning some standard wordpress urls (i.e. /wp1/wp-includes/wlwmanifest.xml or /wp-includes/wp-class.php) while the application is not wordpress, and the IP addresses that are making those requests are reported as possibly abusive by Here a couple of IPs: and
I can exclude that those IPs are making requests by direct access to the server bypassing CF, because we followed the suggestions here to prevent it.
Is it possible that for some reasons CF let those requests pass? If so, why does it happen?

Thanks in advance,

Cloudflare does not block php files by default, except if you use the Managed Rules. CF also do not block wp files like theses by default.

Cloudflare don’t uses it. As long as I known, CF uses Project Honeypot.

As we don’t known how is your WAF settings, I would advise to set it to HIGH and block requests with a threat score above 5.

Here is a community tutorial for blocking wordpress requests.

And to clarify another thing. Except if you use the business or entreprise plan, CF will not automatically block threats and others requests that appears or is malicious magically. You’ll need to fine tune your WAF to adapt to your user case.

If you need assistance to do it. Feel free to ask and the community will help you.


It looks like the IP address is also being reported by IP2Location as scanner and spammer. CF should throw challenge on it.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.