A client phoned me this morning to tell me their site was down, I checked on the server and it was a load issue because a single IP address was hitting /wp-login.php multiple times per second. I’m on the Cloudflare Pro plan and have WAF turned on with the Cloudflare Wordpress rule set enabled. Under the page rules section I also have a rule that matches
*example.com/wp-login* which sets the security level to high and turns on browser integrity check. However neither of these blocked it.
Am I doing something wrong? do I need to enable extra rules inside the Cloudflare Wordpress ruleset (for example
100000 Wordpress - DoS - Numbers Botnet? does anyone know where I can get details on what these rules do other than by contacting support?
I know you can do rate limiting but I believe that cost extra and this seems more like it should fall under the WAF rules, I could install fail2ban on the server but it would be nice if Cloudflare were to block this before it gets there.