Hi
the issue I’m reporting is about domain gruppogesa.it
Yesterday I found on Apache access logs some entries that I’m reasonably sure are coming from a malicious bot: they are in fact scanning some standard wordpress urls (i.e. /wp1/wp-includes/wlwmanifest.xml or /wp-includes/wp-class.php) while the application is not wordpress, and the IP addresses that are making those requests are reported as possibly abusive by ipqualityscore.com. Here a couple of IPs: 193.142.147.68 and 88.248.242.58
I can exclude that those IPs are making requests by direct access to the server bypassing CF, because we followed the suggestions here to prevent it.
Is it possible that for some reasons CF let those requests pass? If so, why does it happen?
Cloudflare does not block php files by default, except if you use the Managed Rules. CF also do not block wp files like theses by default.
Cloudflare don’t uses it. As long as I known, CF uses Project Honeypot.
As we don’t known how is your WAF settings, I would advise to set it to HIGH and block requests with a threat score above 5.
Here is a community tutorial for blocking wordpress requests.
And to clarify another thing. Except if you use the business or entreprise plan, CF will not automatically block threats and others requests that appears or is malicious magically. You’ll need to fine tune your WAF to adapt to your user case.
If you need assistance to do it. Feel free to ask and the community will help you.