Why is wp-config.php 403 blocked?

What is the name of the domain?

https://flysurgery.com/wp-config.php

What is the error number?

403

What is the error message?

Sorry, you have been blocked You are unable to access flysurgery.com

What is the issue you’re encountering

403 blocked

What steps have you taken to resolve the issue?

no waf rules.
set protection to essentially off.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

browse to https://flysurgery.com/wp-config.php

this site isn’t even wordpress but all my sites give this error when the path ends with wp-config.php, wordpress or not.
strangely i see no logs pertaining to this event.
there are no waf or page rules for this site.

have seen other posts about this issue but no definitive answers on why this is happening or what’s causing it.

You can check your security events log for the reason…
https://dash.cloudflare.com/?to=/:account/:zone/security/events

You should see it’s part of the managed ruleset for free zones…

2 Likes

yes, i see them in the logs now.

guess the events take some time to show up in the logs.

assume this free zone ruleset is not overridable.

Nobody should ever be allowed to browse to that URL, as it would expose sensitive information about the website’s configuration.

actually it doesn’t expose anything, unless php isn’t set up properly, which may be the reason for the rule.

agree that it’s a useful rule but would be helpful if cf at least indicated that such rules are being enforced. like perhaps show them in a readonly format or something.

otherwise we’re kinda in the dark about what rules are being enforced. the logs help, but apparently they’re somewhat delayed and not real time.

suppose someone not using wordpress wanted to setup a path by that name, for whatever reason. others may want to use it as a honeypot. now they’ll be confused.

it’s small matter, but a bit more transparency can save time and avoid confusion.

Fair point. I should have said it could expose that information.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.