I have a Wordpress site that is constantly being attacked by bots. 99.5% of the bot traffic originates outside of my continent (Africa). As there are sometimes hundreds of attempts on my Wordpress site, I have a number of WAF rules to address this, in order:
- White-list “good” bots (checks user-agent for specific strings used by trusted services), skips all subsequent rules
- JS Challenge non-African traffic
- Block any non-African traffic where requests (URL_FULL) contain “wp-admin” or “wp-login”
I can see these rules working and I can see the “blocked” traffic, which is exactly as expected.
What is unexpected are the alerts from Wordfence (Wordpress WAF) relating to failed login attempts. These “failed” login attempts correspond with traffic that Cloudflare claims to have blocked. I verified this by comparing the failed login’s details (MAC address / IP address and country) in Wordfence to the WAF Events in Cloudflare.
So, how is it that traffic that is blocked at the “edge” is still able to post data to my Wordpress website? I would expect that when the traffic is blocked, the request would not reach my web-server.
Here are the events showing “blocked” traffic
Here’s an example email from Wordpress notifying me of the failed login, which was supposedly “blocked”
I’ll concede that I may be wrong in my understanding of how the WAF works, it just seems odd that the “block” action doesn’t actually seem to “block” the traffic.