The right place to whitelist IPs


I’m using Patchstack as a virtual firewall that also applies virtual patches to vulnerabilities specific to WordPress.

Problem is, since this automated service keeps accessing the site as both a bot and via the API, Cloudflare doesn’t like it very much.

Where is the best place to allowlist a service whose ip addresses are known to me?

WAF custom rules will give you the tightest control (allow the IPs and restrict which subdomain or path they can access).

IP access rules will just allow the IP address to access everything, bypassing the WAF and other protections.


Great, so create a list in Configuration and exclude it in the WAF custom rule I create. Been on the right track, then.

Thank you!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.