WAF rule not working for mail.domainname.ca/xmlrpc.php

What is the name of the domain?

monitrol.ca

What is the error message?

X was blocked for Accessed a banned URL at http://mail.monitrol.ca/xmlrpc.php (Wordfence message)

What is the issue you’re encountering

Wordfence has detected multiple intrusion attempts. One of them involved access to a banned URL: http://mail.domainename.ca/xmlrpc.php

What steps have you taken to resolve the issue?

Hello,
I added those rules to the Cloudflare firewall but they doesn’t match with the mail.monitrol.ca because in the DNS the mail is set to DNS only, shall I change it to proxied ?

These are the rules set in the Cloudflare firewall :
(http.request.uri.path contains “xmlrpc.php”) or
(http.request.uri.path contains “wxo.php”) or
(http.request.uri.path contains “inputs.php”) or
(http.request.uri.path contains “wp-configs.php”) or
(http.request.uri.path contains “config.php”) or
(http.request.uri.path contains “class_api.php”) or
(http.request.uri.path contains “colour.php”) or
(http.request.uri.path contains “alfa.php”) or
(http.request.uri.path contains “alfanew.php”) or
(http.request.uri.path contains “/wp-admin/install.php”) and

Screenshot of the error

security cloudflare.png1159×280 33.5 KB

mail.monitrol.ca is not proxied so requests to it are not passing through Cloudflare and so the WAF rule won’t have any effect. But if you use that domain for email traffic as well as web traffic, it will need to stay “DNS only” for email to work.
https://cf.sjr.dev/tools/check?ad1a3d421dbd41c088d5d3e392b98255#dns-other

If you want to use the proxy to protect HTTP/S traffic while also using email, you’ll need to use separate subdomains. If mail is just used for HTTP/S traffic and not email, then you can just proxy it.

This topic was automatically closed after 15 days. New replies are no longer allowed.