I previously created a rule which protects insecure plugins access to my WordPress backend:
(http.request.uri.path contains “/wp-content/plugins/” and not http.referer contains “mywebsite”) then block.
I found that my wp-admin access was blocking javascript and other files despite connecting properly from the backend. I have turned off the rule, and still, the rule keeps getting triggered.
The only way to get around this has been to pause the site on Cloudflare completely.
Why would a rule continue to trigger even when it’s not active? Is there a way to purge rules? I have tried changing the rule to allow, and that works, but I don’t want to leave it on allow as that gives access to all referrers. So I turned that rule off. The original block rule continues to be triggered.
Would love some advice or insights on anything to try. Thank you
Visit your WP backend, then on the Cloudflare Dashboard go to Security Events, and see which service is doing the block. It may be that another service is what is causing the block when you turn the Firewall Rule off.
The security event that’s triggering is the insecure plugin block, even though it’s turned off and changed to allow it. I am only allowed one image per post, so that this one will include the security event message. Next I will show the rule currently set up
As WAF (Previous Version) is being migrated to the new WAF, sometimes we see in the interface the previous edition when we should deal with the new. Please visit your WAF panel and hard refresh it (Ctrl-F5 on Windows), and see if the migrated rules appear instead of the same rules from the previous version.
Thanks. Sorry, I misunderstood. My head was on waf reset, not the browser. The issue is that a security event is triggering a rule that does not exist (deleted now).
After the browser reset, it still triggers the non-existent rule. There must be a CF cache with that old rule.
A rule from the WAF (previous version) has been disabled. (Only the previous version has the action “Allow”. The new version has the action “Skip”.
A rule from the new WAF is blocking requests. The new WAF has “Custom rules”, while the WAF (previous version) has “Firewall rules”.
What I meant to say is that, especially if you have more than one zone and not all of them have migrated to the new WAF, you may be editing/disabling the rule from the previous version, while the new version is in place.
Refreshing the page where the Cloudflare security panel lists your rules should force it to show your current “Custom rules”. But that’s only one possibility. The other one being of course a bug.
If you are sure you cannot see the new WAF rule in your Dashboard > WAF > Custom Rules panel, please open a ticket and post the ticket number here so that someone from Cloudflare with access to your account can have a look at the issue.
Understood. Looks like I can’t get the WAF to show custom rules even with reload. I tried multiple browsers. I have several websites listed on CF, and some are showing custom, while others are still showing firewall rules (even after reloading).
Seems like a bug or failed conversion from firewall rules to custom rules. The system shows 3 of 5 active firewall rules, while there are only 2. The third must be a custom rule, but I can’t access it.
results for