It would be wonderful if you could include some kind of “trusted service providers” or something that could be added to over time, so we could just select the service providers we use. It’s annoying having to whitelist a gazillion IPs just to get Cloudflare to play nice with various services like Wordfence, ManageWP, Sucuri, WPMUDEV, etc., especially since there doesn’t seem to be a way to bulk upload IPs to whitelist. Plus, it seems like you’d be able to do a better job of making sure the traffic, headers, etc., were all accurate to the trusted provider than just a blanket IP whitelist anyway, because whitelisting them seems like it’s now putting me at risk of IP spoofing issues and things like that.
If using Wordfence plugin, there is an option within the settings of it, one click:
In the Wordfence options you have to select and choose “ CF-Connecting-IP ” option (Use the Cloudflare “CF-Connecting-IP”), do not forget to save to apply the changes.
Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.
…
Wordfence is fully compatible with Cloudflare, and in some configurations, Cloudflare will send the real visitor IP address to your web server using the CF-Connecting-IP HTTP header. If Cloudflare support personnel have advised you that this is the case, then enable this option in Wordfence.
Note that Cloudflare has several configurations including their own web server module that takes care of detecting the visitor IP address, so be sure to work with their technical support staff and read their documentation to determine which configuration you are using.
I do use the Wordfence setting but it doesn’t work for things like Wordfence Central. Basically anything that connects to the site to create backups, run scans, etc., currently needs to be manually whitelisted, unless I’m missing something.
I do have the whitelisted IPs set for my whole account, but I can’t export them and upload them to a client’s account for example, and even if I copy/paste I can still only add one at a time.
Would be so much more efficient if Cloudflare could support popular services in this way!
Just in case, may I ask if you have tried using is in operator in your Firewall Rule and clicking on the link “Edit expression”?
It should work with copy-pasting 123.123.45.67 99.88.77.66 directly into the textarea field or like having each IP added in a new line.
Upon copy-pasted, click back on the “Use expression builder” and it should be added there.
Thanks for the reply, I’ll look into it but I meant Firewall > Tools, not Firewall > Rules.
Also I finally ran across this part of the Cloudflare docs that say a trusted bot can apply to be added to the allow list, so I’ll pass that on to the companies I work with as that’s basically what I had in mind.
