I have several WordPress sites under my account. Our managed hosting’s Cpanel dashboard has an “Errors” page where they list the access errors to our websites.
Today I found a strange error. The hosting’s firewall has stopped the request so there was no harm this time.
The request URI was this:
/wp-includes/images/css.php, and it came from a Cloudflare IP address (
188.8.131.52 / Seattle, Washington, United States). I have to mention that this file doesn’t exist on my server, of course.
I have a WAF rule that stops these kinds of requests but allows them for “good bots”. (see the see the attachment)
So my question is, why does Cloudflare want to see a clearly malicious file (a PHP file with CSS name inside an images folder), or why my WAF rule doesn’t stop the request?
ps: If you want to open the file yourself from my server, you will get an “Access denied” error. I cannot open this link, either.