WAF rule not working as expected

I have a Wordpress site that is constantly being attacked by bots. 99.5% of the bot traffic originates outside of my continent (Africa). As there are sometimes hundreds of attempts on my Wordpress site, I have a number of WAF rules to address this, in order:

  1. White-list “good” bots (checks user-agent for specific strings used by trusted services), skips all subsequent rules
  2. JS Challenge non-African traffic
  3. Block any non-African traffic where requests (URL_FULL) contain “wp-admin” or “wp-login”

I can see these rules working and I can see the “blocked” traffic, which is exactly as expected.

What is unexpected are the alerts from Wordfence (Wordpress WAF) relating to failed login attempts. These “failed” login attempts correspond with traffic that Cloudflare claims to have blocked. I verified this by comparing the failed login’s details (MAC address / IP address and country) in Wordfence to the WAF Events in Cloudflare.

So, how is it that traffic that is blocked at the “edge” is still able to post data to my Wordpress website? I would expect that when the traffic is blocked, the request would not reach my web-server.

Here are the events showing “blocked” traffic

Here’s an example email from Wordpress notifying me of the failed login, which was supposedly “blocked”

I’ll concede that I may be wrong in my understanding of how the WAF works, it just seems odd that the “block” action doesn’t actually seem to “block” the traffic.

As a best practice, we also recommend that you explicitly block all traffic that does not come from Cloudflare IP addresses or the IP addresses of your trusted partners, vendors, or applications.

1 Like

Thank you, I don’t believe it is possible to access pages on a Wordpress site without using the hostname, which, I presume, then directs traffic through Cloudflare.

How does the malicious traffic reach our server if Cloudflare is blocking it?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.