WAF blocks IPs I've allowed with a rule


So briefly I’ll explain for context. I run WordPress on a Windows server, and am trying to use Invoke-WebRequest in PowerShell to trigger wp-cron.php so that my crons run as of course it cannot hook the system scheduler. Please see HERE for more details.

On to the matter at hand, I am using Task Scheduler in Windows to call Powershell using Invoke-WebRequest, but when I test this it is returning HTTP 503 Server Unavailable. This coincides with a WAF block event for “JS Challenge” by service “Bot Fight Mode”.

I have created an IP List with all the IP addresses I want to allow, and I’ve created a Firewall Rule that should Allow anything from IPs on that list, yet the request continues to be blocked. I have also specified a Chrome UserAgent in the IWR call but still it continues to be blocked.

Please advise?

For starters, even it’s generally a bad idea to run local scripts via an HTTP call. Your issue in this context are the best example for that.

However, if you really want to follow that route, your best course of action will be to edit your server’s hosts file and add your domain with the actual IP address, which will keep requests local.

Good shout, I hadn’t thought of tackling the issue that way, I think I’ll need to do some reconfiguration of my web server to allow the request but I can do that. I did find it a bit of an - unusual - recommendation to run the scripts in this way, but as it’s what WordPress formally recommend I didn’t question it too much.

Nonetheless I am curious, am I just missing something with my setup? Does Bot Fight Mode apply regardless of WAF rules? Is BFM identifying something about my request that still seems fishy? :thinking:

Firewall rules only work within their own context, so if you whitelisted your IP address there, that will only apply to any possible subsequent firewall rules which may have blocked your request.

If you want to “properly” whitelist an address, you best do that under IP access rules.

I did wonder what the difference between those two systems would be. Looks like IP Access Rules has solved my problem quicker than the first method would have.

You still route your request via Cloudflare, the hosts file approach would certainly be more elegant, but you can certainly whitelist it as well.

I’d still check how you can run those scripts locally, as that really should not be done via HTTP, let alone a proxy :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.