Wp Admin getting hammered even behind Cloudflare

I have a site behind Cloudflare with these rules in place. There is a * before and after the site url so not sure why it stripped it here.

mywebsite.com/wp-login.php

Browser Integrity Check: On, Security Level: I’m Under Attack, Cache Level: Bypass, Disable Performance

and

mywebsite.com/wp-admin

Security Level: High, Cache Level: Bypass

I’m running wordfence as well and keep getting alerts of attack increase on wp-admin. Are these rules actually doing anything for me? I thought they would help stop these types of attacks.

The Wordfence Web Application Firewall has blocked 273 attacks over the last 10 minutes. Below is a sample of these recent attacks:

November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: ebookdownloadurl=…/…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: download=…/…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: file=…/…/…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: file=…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: path=…/…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: download_file=…/…/…/…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: filename=…/…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: file=…/…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: file=…/…/…/wp-config.php
November 21, 2020 10:19am 178.213.188.182 (Ukraine) Blocked for Directory Traversal - wp-config.php in query string: alg_wc_pif_download_file=…/…/…/…/…/wp-config.php

Javascript challenge is trivial to solve if the bot was made to do so. Captcha or rate limit are an alternative, however, the better and must approach would be to simply trust nothing and allow only connections from the VPN of your business.

The * doesn’t show because text with a * before and after will be italicized. That’s why I code bracket it from the formatting bar *so it shows up*.

Those page rules don’t apply to directory traversal, but you can certainly use a Firewall Rule to block any requests containing wp-config

3 Likes