I have been seeing suspicious GET requests to various files in our Wordpress /WP-Content folder. I use WP-Cerber Traffic Inspector to study these requests. One of the main folders targeted is the images in /WP-Content/Uploads. However each of the request gets a 404 error as the last few characters of the genuine image has been replaced with the following - %E2%80%A6
I set up a Cloudflare firewall rule to block these requests. Studying the Firewall log in Cloudflare, I can see that the requests come into Cloudflare as valid file names that do exist in /WP-Content/Uploads. Therefore, I conclude that (when there is no Firewall rule) Cloudflare is modifying the file name with the %E2%80%A6 as a security measure. Am I correct in thinking this ?
Also, with a Firewall rule blocking /WP-Content access, I also see many blocks on /WP-Content/Plugins and /WP-Content/Themes. I do not see these in the WP-Cerber logs when the Firewall rule is turned off. Therefore, is Cloudflare blocking these request as a default behaviour ?
As a general point, I do not see any valid requests from Whitelist IPs to the /WP-Content folder - so am inclined to block all access.
Thanks for your thoughts.