Page Rule Triggers even when off

I previously created a rule which protects insecure plugins access to my WordPress backend:

(http.request.uri.path contains “/wp-content/plugins/” and not http.referer contains “mywebsite”) then block.

I found that my wp-admin access was blocking javascript and other files despite connecting properly from the backend. I have turned off the rule, and still, the rule keeps getting triggered.

The only way to get around this has been to pause the site on Cloudflare completely.

Why would a rule continue to trigger even when it’s not active? Is there a way to purge rules? I have tried changing the rule to allow, and that works, but I don’t want to leave it on allow as that gives access to all referrers. So I turned that rule off. The original block rule continues to be triggered.

Would love some advice or insights on anything to try. Thank you

Visit your WP backend, then on the Cloudflare Dashboard go to Security Events, and see which service is doing the block. It may be that another service is what is causing the block when you turn the Firewall Rule off.


The security event that’s triggering is the insecure plugin block, even though it’s turned off and changed to allow it. I am only allowed one image per post, so that this one will include the security event message. Next I will show the rule currently set up

Here is the current rule setting:

As WAF (Previous Version) is being migrated to the new WAF, sometimes we see in the interface the previous edition when we should deal with the new. Please visit your WAF panel and hard refresh it (Ctrl-F5 on Windows), and see if the migrated rules appear instead of the same rules from the previous version.

1 Like

Thanks. Got to find a Windows machine. Any solutions for Mac users?

Have purged everything, deleted caches, still many files throwing 403 in backend. Front-end looks fine

The :search: results for refresh on Mac OS look promising.


Thanks. Sorry, I misunderstood. My head was on waf reset, not the browser. The issue is that a security event is triggering a rule that does not exist (deleted now).

After the browser reset, it still triggers the non-existent rule. There must be a CF cache with that old rule.

Your screenshots show that:

  1. A rule from the WAF (previous version) has been disabled. (Only the previous version has the action “Allow”. The new version has the action “Skip”.
  2. A rule from the new WAF is blocking requests. The new WAF has “Custom rules”, while the WAF (previous version) has “Firewall rules”.

What I meant to say is that, especially if you have more than one zone and not all of them have migrated to the new WAF, you may be editing/disabling the rule from the previous version, while the new version is in place.

Refreshing the page where the Cloudflare security panel lists your rules should force it to show your current “Custom rules”. But that’s only one possibility. The other one being of course a bug.

If you are sure you cannot see the new WAF rule in your Dashboard > WAF > Custom Rules panel, please open a ticket and post the ticket number here so that someone from Cloudflare with access to your account can have a look at the issue.

1 Like

Understood. Looks like I can’t get the WAF to show custom rules even with reload. I tried multiple browsers. I have several websites listed on CF, and some are showing custom, while others are still showing firewall rules (even after reloading).

1 Like

Seems like a bug or failed conversion from firewall rules to custom rules. The system shows 3 of 5 active firewall rules, while there are only 2. The third must be a custom rule, but I can’t access it.

1 Like

I have already escalated this issue, do you have a ticket number?

Thanks for the support. Ticket is 2796261


Thanks. This may take a few days, I’m afraid. Meanwhile, you can use the API to turn off your Custom Rules.

Cloudflare’s “preferred” API is the new Rulesets API, which is rather complicated and so far poorly documented. But you can use the Firewall Rules API to enable/disable Custom Rules, as well as the Filters API to modify them, according to: Firewall rules are becoming custom rules · Cloudflare Web Application Firewall (WAF) docs

Just to update this, it has been escalated internally. I will provide specifics in the ticket when we have more information.

1 Like

Hi @leon6,

Seems this particular case is an edge case related to the migration from Firewall Rules to Custom Rules.

I’ve followed up in the Support ticket #2796261.
We apologize for any inconvenience caused.

Should you need any further assistance, please do not hesitate to reach out by replying the ticket.
Thanks for choosing Cloudflare.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.