Hi,
I have Managed Rules enabled. In them I have the Core Cloudflare rules and the OWASP rules. The OWASP rules are set to 40 (medium) and paranoia level is set to 2. With these settings, whenever I try to update a page created with the Elementor plugin on my WordPress website the action is blocked with 403 error. If I disable the OWASP ruleset it works fine. In the WAF events I see that the action has been blocked because of OWASP score being exceeded at 63-66.
How can I have OWASP ruleset turned ON and still allow me to use the Elementor plugin without a problem. What would be the best way?
Thanks!
You should create a WAF exception to skip this specific rule.
On the WAF Events page where you saw the blocked activity, you’ll be able to find the Rule ID (and copy it to memory once you hover your mouse pointer over it).
With that number, go to WAF Managed Rules and click on “Add an exception”, and set it to skip only this rule, when incoming request match certain conditions, such as the path for the file Elementor needs to post to, your IP address, etc.
1 Like
Hi @cbrandt, thanks!
So I did as you advised and now in the Events I see the event as “skipped” under the action that’s taken, so it should be ok, however the requests still fails with 403. It’s like “skip” isn’t “skipping”…
What’s even stranger is that I have a custom page rule which should disable security completely for that path. Could this be the cause for the issue? I don’t see why the two should collide…
Thanks!
2 Likes
Wait a couple minutes, as Events sometimes take a bit to log stuff. Then check if other Cloudflare feature is doing the block (I’d suspect it could be (Super) Bot Fight Mode). Also, make sure it isn’t your own origin firewall doing the block (sometimes a Cloudflare protection masks this fact.)
Page Rules > Disable Security will disable certain feature (mostly previous versions), not the new WAF.
1 Like
Hi @cbrandt thanks again!
So In the Super Bot Fight Mode I enabled the “optimize for WordPress” option and it seems to work now.
Thanks!
I also moved my exception rule to be the first one in the list of Managed Rules. I don’t know if that did the trick or if the Super Bot Fight Mode option for WordPress but since it’s working now, I’ll check which one of the two it is at a later stage.
Many thanks!
Goran
3 Likes
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.