Hi @tonymugo03
It sounds as if you are being blocked or what we call false positive.
If you filter on path contains /wp-admin
and follow this guide, you should be able to bypass the security feature doing the block:
You can search for a blocked or challenged request in the Security app under the Overview tab in the Firewall Events section of your Cloudflare Dashboard.
Understanding Cloudflare Firewall Analytics
The Cloudflare WAF contains mainly 2 packages:
- Cloudflare Managed Ruleset: These rules are managed by Cloudflare WAF Engineers.
- OWASP ModSecurity Core Rule Set: These rules are not managed by Cloudflare. They are created by the OWASP Group and Cloudflare integrates with this OWASP package as part of our WAF for additional security.
For “security reasons”, we don’t provide the rule patterns, as this would increase the likelihood that a malicious party could learn to bypass the rules. However, If you would like to know why a WAF rule has triggered, you can enable the payload logging feature. This feature is only available for customers on an Enterprise plan. It allows you to log the request information that triggered a specific rule of a Managed Ruleset. This information is known as the payload. Payload logging is especially useful when diagnosing the behavior of WAF rules. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later.
If you’re encountering false positive due to the legacy WAF, there are 5 actions that you could take here:
-
Add the IP(s) doing the request to the IP Access Rules in the allowlist, if the users connecting to your backend are always using the same IP address.
This is the best solution as it does not affect the site security.
How do I control IP access to my site? -
Disable the affected WAF rule(s)
This will reduce the security of the site, but will stop the requests from getting blocked/challenged.
How do I configure the WAF? -
Skip the WAF with a Firewall Rule
You can create a Firewall Rule with the skip action for the WAF to be deactivated for a specific combination of parameters. You could for example only bypass the WAF for a specific URL and a specific IP or user-agent:
Firewall rules actions · Cloudflare Firewall Rules docs -
Disable the Web Application Firewall from the requested endpoint (not recommended!)
This will result in lower security, as the WAF will no longer be applicable on that location.
This action is done by using Page Rules:
Understanding and Configuring Cloudflare Page Rules (Page Rules Tutorial) -
If the rule blocking is
981176
(legacy OWASP), it means it was blocked by the OWASP rules. You need then to decrease the OWASP sensitivity: a request was blocked by rule 981176, what does that mean?. If decreasing the OWASP sensitivity doesn’t solve the issue, you might need to apply one of the other actions described above (1, 2, 3 or 4).
If you’re encountering false positive due to the new WAF, there are two actions that you could take here:
-
Add WAF Exception
You can define WAF exceptions in the Cloudflare dashboard or using the Rulesets API. -
If the rule blocking is
949110
(new OWASP), it means it was blocked by the OWASP rules. You need then to decrease the OWASP Anomaly Score Threshold or lower the OWASP Paranoia Level.