Yes, you are.
This policy allows only your server and yourself (while your are logged-in) to connect back to the admin-ajax.php script, and will block bots. If you need the pinterest.com bot to connect to it, disable the policy.
Hi!
Are the attacks blocked even if it is not explicitly stated in the log file?
For example, I found the entries below in my log file. Were these blocked by the firewall?
#1949438 CRITICAL 1540 172.104.183.220 GET /wp-admin/admin-ajax.php - Unauthenticated action - [REQUEST:action = duplicator_download]
#5664348 HIGH 310 172.104.183.220 GET /wp-admin/admin-ajax.php - Access to a configuration file - [GET:file = ../wp-config.php]
#6520312 HIGH 310 91.121.82.163 GET /wp-admin/admin-ajax.php - Access to a configuration file - [GET:file = ../wp-config.php]
#7243699 HIGH 310 91.121.82.163 GET /wp-admin/admin-ajax.php - Access to a configuration file - [GET:img = ../wp-config.php]
#3742363 CRITICAL 1 91.121.82.163 GET /index.php - Directory traversal - [GET:mla_download_file = ../../../../wp-config.php]
There were blocked. As indicated below the log, it shows all threats that were blocked by the firewall, unless stated otherwise.