Why is a Cloudflare IP trying to POST to xmlrpc.php Wordpress?

Is this usual behavior? It looked to us like our site was being compromised, so we blocked an IP because there were hundreds of POST requests to our xmlrpc.php file, which is a well-known Wordpress security flaw. Our site went down all day… turns out it was a CloudFlare IP! Why is this?

Thats not a Cloudflare request, that a regular request routed via the proxies and you dont restore IP address on your end, hence you only get the proxy addresses.

Please use the search for further details.

Hi Sandro, thanks for your response.
I can see from the below URL that 162.158* is a CF IP?

Well, the address is a Cloudflare address but the request still does not come from Cloudflare. Please use the search and check out support.cloudflare.com. You need to understand how Cloudflare works before you proceed using it, as well as the necessity of restoring IP addresses.

#Tutorials will also help.

1 Like

Thanks @sandro I will look into restoring original visitors IPs.
Even with CF completely removed from my site, I still see a CF IP flooding my site. Are bots/scripts still masking their IP’s with yours even though it’s inactive?

This is probably because these crawlers still have the Cloudflare addresses cached and go via the proxies. For now you could block all proxied requests.

This topic was automatically closed after 30 days. New replies are no longer allowed.