Rant, Cloudflare Bot Fight Mode doesn’t provide firewall bypass or whitelist?

0
Shares
0
0
0
0
0
0
Table of Contents
  1. Cloudflare Bot Fight Mode….
  2. The problem
    1. Zapier
    2. Manual WordPress Cron via URL
  3. Solutions and Support
    1. Submit service to Cloudflare for Review
    2. Using Cloudflare IP Access Rules
  4. Other Affected Software
  5. Updates

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Cloudflare Bot Fight Mode….

So my rant today is directed at Cloudflare. Why? Because they really kinda pissed me off here

There is a feature under all Cloudflare plans called “Bot Fight Mode” which is supposed to help with blocking bots or automated attacks. For instance, if you suffer from card testing attacks.

The problem

Zapier

But here’s the problem, what if Cloudflare thinks Zapier is a bot? Or the origin IP address of the DNS record, aka your server. You’re screwed unless you have an enterprise plan.

The Cloudflare firewall only comes into play after Bot Fight Mode and before the IP Access Rules. So you can add the origin IP Address of your server to the IP Access Rules and bypass Bot Fight Mode. However for Zapier, since they’re on AWS that could mean allow all of AWS. Which is a huge network, and attacks can originate from AWS.

Ideally, you would put in a firewall rule to allow the Zapier endpoint *wc-zapier* to bypass the Bot Fight Mode. But you can’t.

Manual WordPress Cron via URL

If you have a large site, or just looking to change how often the WordPress cron runs. You might have set the WordPress cron to run manually versus automatically. To do this you have two options, one of them is by visiting the WordPress cron URL. This method is blocked by Cloudflare, even if the request comes from the origin servers IP Address.

Solutions and Support

There’s lots of talk on the Cloudflare community forums.

Submit service to Cloudflare for Review

If you have a bot or automation software like Zapier, you can submit it to Cloudflare to be whitelisted. As per this FAQ article.

What is cf.bot_management.verified_bot?

I’ve submitted Zapier so we’ll see what happens!

Using Cloudflare IP Access Rules

You can add the service providers’ IP’s to the “IP Access Rules” under Firewall->Tools. This works if you know the IP range of the service provider affected. However, not all service providers provide this information and you’ll have to keep it up to date.

Other Affected Software

I’ve compiled a list of software that is affected by Cloudflare’s Bot Fight Mode.

Updates

  • 09/11/2021 – added Markup.io thanks to Joe Fletcher at fletcherdigital.com also added section discussing manual WordPress cron via URL.
  • 11/03/2021 – added setcronjob.com thanks to Dave.
  • 11/03/2021 – added Cloudflare IP Access Rules solution.
0 Shares:
Share 0
Tweet 0
Share 0
Share 0
Share 0

Author

Jordan Trask

With 20 years experience in technology spanning from Linux, Data Center Infrastructure and related services and applications. Jordan consults with small, medium and large organizations tackling problems and technology needs. With 10 years experience in WordPress, he’s created Managing WP as a means to dump his brain on the web.

Jordan operates LMT Solutions providing Technology Consulting Services and We Power WP for WordPress Care Plans and Support.

Join our Newsletter


— Previous article

Cyberpanel Cheatsheet

Next article —

Replacing WordPress WP Cron with Linux cronjob (URL and wp-cli Method)