Order of Cloudflare Traffics - Rules/Rate-Limit/Filters

#1

Hi all,

We were experimenting with several options in Cloudflare trying to block/rate limit access to wp-login.php – to be very specific.

We have setup Rate Limiting Rules which supposed to block > 10 request per 1 minute. In the past, this seemed to work well. Recently, we also explore ‘Page Rules’ which will send */wp-login.php with Browser Integrity Check enabled and also Security Level I’m under Attack mode.

The later seemed to be in-effect without the Rate-Limiting being checked. So, we are wondering if Page Rules will get higher priority? Is there any where we can see which ones are in effect?

If we disable the Page rules, Rate Limit kicks in. So, it’s kind like picking one and the other inactive now.

#2

If yours is a website with few users who need to log in, I’d suggest you try instead creating an Access Policy for /wp-login.php as well as for /wp-admin* and /xmlrpc.php. Up to 5 users/month is free.

1 Like
#3

According to the latest information I have page rules should run before rate limiting. That might have changed in the meantime however.

@alexcf might have the latest update

1 Like