Wordfence Security not working with Cloudflare

My website in WordPress used wordfence Security and it wont scan website for malware as there is a issue with Cloudflare settings. When Cloudflare is off, it works. Anyone can assist in finding the issue?

May I ask have you followed the instructions from below article?:

Furthermore, if you added the IPs (from Wordfence article above + your origin host / server IP) to the IP Access Rules (with Allow) and therefore created a Firewall Rule (again, with Allow) putting it on the 1st (from above), I think it should work.

Nevertheless, in the Wordfence options you have to select and choose “ CF-Connecting-IP ” option (Use the Cloudflare “CF-Connecting-IP”). Do not forget to save to apply the changes.

Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.

Wordfence is fully compatible with Cloudflare, and in some configurations, Cloudflare will send the real visitor IP address to your web server using the CF-Connecting-IP HTTP header. If Cloudflare support personnel have advised you that this is the case, then enable this option in Wordfence.

Note that Cloudflare has several configurations including their own web server module that takes care of detecting the visitor IP address, so be sure to work with their technical support staff and read their documentation to determine which configuration you are using.

There could be a temporary workaround as like, before running a scan, you could temporarly select Pause Cloudflare on Site from the Cloudflare dashboard for your domain, or switch to the :grey: (DNS-only). After the scan completes, switch back to proxied :orange:

Nevertheless, sometimes it knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin which triggers the WAF rules (as it should normally) and the regular request from some are being challenged or blocked and then they show up on the Firewall Events (Security → Events).

SBFM is good, however in some cases there are requests which trigger them and are being blocked. Customers reported this and the other workaround is to whitelist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.

Other useful article:

I tried most of these ways but the ajax handler unblock and waiting on ip addresses from the host to add to Cloudflare firewall whitelist. nothing else worked.

Im getting this error in wordfence tools>diagnostics>connectivity tab:
wp_remote_post() test back to this server failed! Response was: 403 Forbidden

This is the error im getting after i click on scan on wordfence plugin:


I believe Cloudflare is the culprit. Without Cloudflare proxy settings, wordfence scan works fine.

Anyone out there that can help?

I added all wordfence scanning ips and servers in waf firewall rules and IP access rules in Cloudflare . Nothing is working. What’s the difference between firewall rules and ip access rules?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.