I recently discovered this article https://blog.cloudflare.com/wordpress-pingback-attacks-and-our-waf/
and was wondering what do I need to enable the rules mentioned there.
It happens that one of my customers site (built in wordpress) is receiving a lot of visits to the
/xmlrpc.php and /wp-login.php urls
The specific rules mentioned are WAF rules, available with the Pro Plan and higher.
You can try Access and create policies for each of those URLs, as well as for the whole /wp-admin/ area… Access is free for up to 5 users.
Another alternative is to create a Firewall Rule for these URLs to challenge (captcha) visitors. This will block bots, but may alienate users as well, so it all depends on how many users the site needs to allow to sign in using these URLs.
Good to know that it is an option for Cloudflare PRO plans, I will give it a try.
BTW I already have captcha challenge on some wordpress sites using the free Cloudflare version,
but I was forgetting of the URL xmlrpc.php that is also a frequent target of attacks.
Any suggestion for that?
This topic was automatically closed after 30 days. New replies are no longer allowed.