WAF Rule Not Working

I’ve added a rule to WAF to try and protect wordpress, but it doesn’t seem to be working, is anyone able to see what I’m doing wrong?

In general, I’m hoping to restrict access to wp-admin page unless a query string is provided. So if I go to MyDomaincom it should block me. If I go to MyDomaincom?challenge=LetMeIn it should proceed. However, I’m still able to view the login page after visiting my domain. Any thoughts?

(http.request.uri.path contains “/wp-admin.php” and not http.request.uri.query contains “challenge=LetMeIn”)
Then Block

Firstly, I think it you should either be using wp-admin (anything below that directory) or rather directly the wp-login.php file to which it does redirect?, as I don’t know for wp-admin.php :thinking:

Nevertheless, that would either block any resource you’d try to fetch as long as the links wouldn’t have the query challenge=LetMeIn by default of the WordPress installation.

I am afraid this is not a good way to go.

At least, I’d suggest you to put JS Challenge if uri.path contains wp-login.php and install a plugin for Google recaptcha on the login form.

Otherwise, you could limit access to the wp-login.php only to your IP, or your country + using another Firewall Rule to challenge each request trying on wp-login.php.

Kindly, I’d like to share two of my posts containing multiple things related to WordPress security using Cloudflare WAF and Firewall Rules and other security options available to us.

Combining them into few Firewall Rules, you can get what you need for the best possible security & protection of your WordPress instance :wink:

We can also use Cloudflare Access / Zero Trust (Teams) for WordPress admin, check here:

1 Like

Thanks, this is very helpful! I have reviewed your posts as well and they were also great reads!

I have another rule in there alongside the wp-admin one as follows:
(http.request.uri.path contains “/wp-login” and not http.request.uri.query contains “challenge=CRPLogin”)

The rule has the logic to try and block any attempt access to wp-admin and wp-login without the challenge parameter. Per your comment, this should block access, but it isn’t. I can visit the domain/wp-login.php no problem without the challenge.

Do these rules take some time to set in before they take effect? Am I mabye not writing in the .path contains syntax correctly?

I managed to resolve the issue with help from fritex’s note.

I also found that the rules were not triggering for me when I was testing because I was accidentally indirectly accessing the pages in question that I wanted to block through a redirect. By visiting the pages directly I could see the rules working.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.