I set up a WAF rule for a domain “guidecomo.it” like fallows : if (ip.geoip.country ne “IT” and http.request.full_uri eq (https://guidecomo.it/wp-login.php)) the block; that should block the login path to any IP not originating from Italy.
Actually, this rule works fine with the exception of someone using Cloudflare’s AS13335 IPs, such as 184.108.40.206 or 220.127.116.11 or 18.104.22.168 (as you can see from the
screenshot taken from my site’s Wordfence plugin) who always by passes it.
Could anyone explain why this may be possible?
My additional comments on top of what @sdayman mentioned: since you have the firewall rule in place and it works for you, then very likely those login attempts that you noticed in Wordfence were actually the requests that were not blocked by your firewall rule. It’s just that the “Restore Visitor IP addresses” option was not configured hence you see those Cloudflare IP addresses appear in your Wordfence logs.
Hi Eric and @sdayman, thanks for your replay
I figured out it’s a problem with the real IP not being listed correctly in Wordfence longs. I can’t find any option that allows me to “Restore IP addresses of visitors”, at least this is not available in my free version. However, even if I find a way to see the real IP, that doesn’t solve the problem of the WAF rule being bypassed by this IP. So I have to focus on a better rule, if I can configure it right
Thanks again for your help.