Visitors's IP not from Cloudflare


I’m just get on Cloudflare WAT 2 days.

Today, I find form error log, one visitor from China show its China ISP IP. Its a bad visitor, hit my website 200 times, I block the IP.

Is it bypass Cloudflare WAF?



It may be accessing your server directly and bypassing CF if you usually only see CF IPs and suddenly see another one.

You could block all IPs on the server except Cloudflare’s so no one can bypass.


Thank you for your reply.

How to block all IPs on the server except Cloudflare’s? I’m not IT Pro.


If it’s not Shared Hosting, here’s the IP list:

If it is Shared Hosting, then .htaccess can block:


Its VPS server.

So, I can change .htaccess,
Order Deny,Allow
Deny from all
Allow from
Cloudflare’s IPs

Great, Thank you for your help.


If you’re using Digital Ocean or Vultr (maybe others as well), they have a firewall feature where you can allow IPs, and deny everything else. It will take the load off your server if someone bypasses Cloudflare to attack your site.

closed #7

This topic was automatically closed after 30 days. New replies are no longer allowed.