Suspicious file requests with Cloudflare IP address


I have several WordPress sites under my account. Our managed hosting’s Cpanel dashboard has an “Errors” page where they list the access errors to our websites.

Today I found a strange error. The hosting’s firewall has stopped the request so there was no harm this time.

The request URI was this: /wp-includes/images/css.php, and it came from a Cloudflare IP address ( / Seattle, Washington, United States). I have to mention that this file doesn’t exist on my server, of course.

I have a WAF rule that stops these kinds of requests but allows them for “good bots”. (see the see the attachment)

So my question is, why does Cloudflare want to see a clearly malicious file (a PHP file with CSS name inside an images folder), or why my WAF rule doesn’t stop the request?

ps: If you want to open the file yourself from my server, you will get an “Access denied” error. I cannot open this link, either.

Best regards,
Gergo Simko

Are you using the “Security Insights” Cloudflare feature?

Dear @solider_21, I don’t know exactrly. Where can I find this?

Dear @soldier_21, I’ve found the “Security Insights” page, it says there aren’t any issues on my sites.

No I was just wondering if you had run scans previously with that feature, which could explain the weird request from Cloudflare

Where do you see the request coming from ?

Are you restoring original visitor IPs?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.