Manged rule blocking WordPress plugin uploads

dylan10 · January 4, 2023, 11:19pm

This has been posted a few times but I haven’t found an answer yet.

Cloudflare managed rules are blocking plugin zip file uploads. There are many commercial plugins that can only be installed this way by a WordPress user.

Here is the security event JSON export:

{
  "action": "block",
  "clientASNDescription": "ATT-INTERNET4",
  "clientAsn": "7018",
  "clientCountryName": "US",
  "clientIP": "108.241.231.225",
  "clientRequestHTTPHost": "dermaplanepro.com",
  "clientRequestHTTPMethodName": "POST",
  "clientRequestHTTPProtocol": "HTTP/2",
  "clientRequestPath": "/wp-admin/update.php",
  "clientRequestQuery": "?action=upload-plugin",
  "datetime": "2023-01-04T23:06:37Z",
  "rayName": "7847a030bc569692",
  "ruleId": "d93f48eb05324adbb47f0d055969e60b",
  "rulesetId": "efb7b8c949ac4650a09736fc376e9aee",
  "source": "firewallManaged",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
  "matchIndex": 0,
  "metadata": [
    {
      "key": "ruleset_version",
      "value": "123"
    },
    {
      "key": "version",
      "value": "123"
    },
    {
      "key": "type",
      "value": "customer"
    }
  ],
  "sampleInterval": 1
}

The documentation makes it clear this cannot be bypassed:

You cannot bypass the new Cloudflare WAF, only its previous version (WAF managed rules).

How can we allow WordPress administrators to install plugins on their site?

fritex · January 5, 2023, 10:08pm

Seems like the same issue as already been posted here since before

I’d do it manually via FTP, until we find some workaround for it.

akah · January 18, 2023, 1:51am

I also have same issue, waiting update on this

dylan10 · January 28, 2023, 1:13am

I posted in the WordPress plugin support forum also. Meanwhile I’ve been manually installing plugins using the WP CLI.

cbrandt · January 28, 2023, 2:33am

Though you cannot bypass the whole new WAF, you can create an exception.

You can combine your IP(s) with the relevant path for plugin update:

You then select Skip specific rules from a Managed Ruleset, and pick Cloudflare Managed Ruleset. Last, you search for the rule titled “Adobe Coldfusion Dangerous File Upload…”

EDIT: After you save your WAF Exception, you need to move it up so that it triggers before the Managed Rulesets.

It worked for me, I hope it works for you guys.

dylan10 · January 30, 2023, 6:55pm

That appears to work, thank you!

I guess I ended up in the wrong documentation and drew the wrong conclusion. It seems like others are struggling also, but I’m not sure what might have helped me get to the right place.

cbrandt · January 30, 2023, 7:09pm

The documentation you quoted above appears to be referring to the inability to use the Bypass action in a Firewall Rule, which can be used to bypass several security services (including the previous WAF).

Perhaps that documentation could be updated to reflect the fact that one can, in fact, bypass the new WAF, except not by using the Firewall Rules bypass action, and instead by using a new WAF Exception. cc: @cwaters

cwaters · January 30, 2023, 7:59pm

Thanks for the tag, @cbrandt! Passing along to our WAF and rules writer.

system · February 14, 2023, 8:00pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.