Blocking all visitors through Cloudflare

  • Resolved Jim

    (@jwmc)


    5 years, 8 months ago

    When I started Cloudflare “full zone” protection, pointing my domain to their nameservers, Wordfence began blocking me and presumably every visitor for accessing a banned URL. I repointed the nameservers and turned Cloudflare off.

    I’ve searched the forums and WF help, but I still don’t understand how Wordfence thought ordinary URLs were banned and I’m not sure what to do. I read the help for the “Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP” control, but it sounds like this may or may not work. I can’t afford to let this happen again. How can I predict if that is the way to go?

    Thanks.

    PS – My interest in using Cloudflare is more for CDN/speed benefits than for security – for that I count on Wordfence.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    5 years, 8 months ago

    Hi @jwmc, thanks for reaching out to us on this.

    The original problem definitely sounds like an issue with how Wordfence is getting its IP addresses. Enable Cloudflare and set the CF-Connecting-IP HTTP Header value in Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs as instructed in https://www.wordfence.com/help/dashboard/options/

    Make sure the detected IP under that section matches your public IP as shown on https://www.whatsmyip.com.

    If you are concerned about suffering more lockouts, you could potentially disable the firewall, re-enable Cloudflare, then check the settings I mentioned above.

    When you test again, if a lockout occurs, using FTP or your hosting dashboard, rename the “wordfence” folder in wp-content/plugins to “wordfence.bak”. Sign back in to WordPress, and using the Wordfence Assistant plugin, disable the firewall, then rename “wordfence.bak” back to just “wordfence” to reactivate the plugin.

    Thanks,

    Peter.

    Thread Starter Jim

    (@jwmc)

    5 years, 8 months ago

    Thank you, that setting seems to work perfectly, assuming eveyone is going through Cloudflare now as I am. I’ve let it run for about an hour, watching Live Traffic. All the IPs are there and it doesn’t seem people are getting blocked.

    Thank you!

    Thread Starter Jim

    (@jwmc)

    5 years, 8 months ago

    Except Wordfence is reporting in the plugin that

    Your ‘How does Wordfence get IPs’ setting is misconfigured. This site is currently using the Cloudflare “CF-Connecting-IP” HTTP header, which should only be used when the site is behind Cloudflare. For maximum security use PHP’s built in REMOTE_ADDR. Click here to use the recommended setting or visit the options page to manually update it.

    But the site is “behind” Cloudflare.

    Edit: Nevermind, I guess I just had to dismiss that warning.

    • This reply was modified 5 years, 8 months ago by Jim.
Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Blocking all visitors through Cloudflare’ is closed to new replies.