WAF Rule not working as intended

I have a Wordpress site (6.3.1) and the url for editing a Post is https://content.***.com/wp-admin/edit.php. This page returns a 403 error caused by my WAF Rule.

The WAF Rule in Cloudflare is to block if:
(http.request.full_uri contains "content.***.com/wp-json" and ip.src ne ***.**.***.*** and ip.src ne ***.**.***.*** and ip.src ne ***.**.***.***)

For editing a post the url is /wp-admin/edit.php. I think this requests to the wp-json API internally when editing a post, so I can see how the rule gets triggered.

But I have included the IP address of my computer as well as of the server hosting the application as exceptions.
I can confirm this works, since with the WAF Rule enabled I can still visit a url with wp-json and when I remove my IP address from the exceptions, I cannot visit that same url.

How can the rule then still cause the 403 error when visiting /wp-admin/edit.php (and what to do about it?)?

1 Like

Hi,

In all likelihood it’s another rule, or perhaps another Cloudflare service altogether (Bot Fight Mode, Security Level etc.) that is blocking your requests for the /wp-json/ endpoints, though this could also be blocked by WordPress itself depending on how your installation is set.

Please visit your website and perform the action that would normally result in a request being blocked. Make sure you have Developer Tools open (F12).

Then:

  1. Wait a few minutes
  2. Go to Dashboard > Security > Events. If the request was in fact blocked by Cloudflare, you should find an event related to that block/challenge action. Depending on your site traffic, you may need to filter by IP address, User Agent, URI Path, etc. to find it. Check the “Service” that blocked it.
  3. If this was
    a) Bot Fight Mode, disable this feature.
    b) Super Block Fight Mode, create a WAF Custom Rule to Skip it for the specific situation, with relevant conditions such as the URI Path and the visitor’s IP, for example;
    c) WAF Managed Rule, you need to create a WAF Exception for that rule. See: Add a WAF exception in the dashboard · Cloudflare Web Application Firewall (WAF) docs
    d) WAF Custom Rule, you need to edit it accordingly.

If instead you cannot find an event logged by Cloudflare, then the 403 was returned from your origin, and you need to investigate if your theme or any of your plugins is blocking the access to the WordPress REST API.

1 Like

Thanks for taking a look at this/ But as mentioned, I already confirmed it is the WAF Custom Rule that is causing the problem. When I disable it, the error is gone.

My question is basically what is wrong with my Custom WAF Rule, as it seems correct to me.

It is correct as far as the logic goes. Have you checked Security > Events to make sure the IP being blocked is in fact among the ones in your rule?

2 Likes

Ah, yeah, got it. I had not looked at the IP address in the Events log. It turns out it takes my IPv6, and whereas my IPv4 address (almost) never changes, my IPv6 address regularly changes. As a result, the IPv6 address I had in the exceptions was not up to date. Replacing it with the correct IPv6 address, solved it. Thanks!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.