Support » Plugin: Wordfence Security - Firewall & Malware Scan » Wordfence has blocked Cloudflare IP address

  • Resolved Debashish

    (@silumant)


    Hello, I am using latest version wordfence in all websites including in my Devlopment website for testing purpose. I am using inmotion hosting + cloudflare cdn. The problem I have found is in my testing website. Here I found that wordfence has blocked 4 cloudflare IP address = 162.158.59.143, 172.68.46.72, 162.158.58.28, 172.68.46.36 . When I check my live traffic blocked report I have found them as blocked by saying “blocked by firewall for Directory Traversal in query string”. I am also using wp rocket cache plugin. THis is the screenshot. Wordfence

    Please tell me what to do. I think I will either whitelist these IP by clicking “Whitelist parma from firewall” in the live traffic option OR Re-enable the learning mode of firewall.

Viewing 15 replies - 1 through 15 (of 20 total)
  • Hi,
    Both solutions you mentioned are fine and some users find whitelisting Cloudflare’s IP ranges handy.

    Thanks.

    Have you tried installing Mod_Cloudflare on your server? This will rewrite your visitor IPs to be your actual end-user IP addresses, so Cloudflare works transparently.

    Hello @icyapril, My hosting (inmotionhosting) do not allow to install Mod_Cloudflare in shared hosting. They only allow it in vps/dedicated plans.

    Hello @silumant,

    You can use this CloudFlare’s WP plugin: https://wordpress.org/plugins/cloudflare/
    Read more about it here: https://blog.cloudflare.com/introducing-the-cloudflare-wordpress-plugin/

    It will restore the original visitor IP and works well with WordFence.

    Hope this helps.

    Regards
    Shadi

    • This reply was modified 2 years, 8 months ago by  Shadi Habbal.

    Hello @kerpanic, thanks for replay. I was using this plugin for supporting cloudflare flexible ssl. But it was simply replaced by flexible cloudflare plugin & cloudflare option from wp rocket. So I uninstalled it.

    Also I was facing this issue on my test websites which are password protected most of times. I observed that it was happening due to incomplete firewall rules by wordfence when my websites are password protected. Afte I whitelisted these ip, I was not facing the problem in my test websites.

    Dear @kerpanic, can you tell me How I will know that my websites logs are reflecting cloudflare’s ip address instead of original ip address. If it is happening, does it reflects in google analytics reports too.

    Hello @wfalaa, After I white-listed the ip address, it is solved. But I am still seeing the blocked ip address statistics in the dashboard, which I guess should be removed as I have white listed them.

    Also When I checked my options of banned ip address, I can not find these. I tried to clear all ip address, still these statistic is on the dashboard.

    So please tell me how to remove it.

    Hello,

    Most likely yes, unless Google Analytics resolves the CF headers. But I can’t say for sure.

    WordFence Live Traffic should also display CloudFlare’s IPs IMHO.

    As for the blocked IPs, the block is most likely temp. hence you couldn’t find them in the blocked IPs list. The stats are most likely a snapshot in time of what happened so far, and not a live update.

    Hello @kerpanic, Currently my wordfence live traffic is disabled (as it is server hungry). But I remember when I have enabled it for some days, it was showing real ip address from visiters. So if this is happening, do I need cloudflare plugin to restore the original visitor IP.

    Also do you know how to remove this blocked ip statistics from my dashboard.

    Thanks.

    @silumant these IPs are blocked temporarily for the the time you set in (Wordfence > Firewall => Rate Limiting => How long is an IP address blocked when it breaks a rule), that explains why you can’t see them now.

    Also, the screenshot you shared is showing the dashboard widget which utilize the data stored in “wp_wfBlockedIPLog” database table, I mean if you truncate this table through any database management tool “phpMyAdmin for example”, you will get rid of the data in this widget.

    Thanks.

    @wfalaa

    Please describe if it is possible to whitelist Cloudflare’s IP ranges, when at least one of the ranges is this in CIDR: 104.16.0.0/12

    That is over one million IP addresses (1,048,576 to be exact), that go from 104.16.0.0 to 104.31.255.255

    So, I don’t know, but is this syntax possible to represent a range: 104.[16-31].[0-255].[0-255] ??

    I am just guessing at that. Is that a real way of writing a range, to conform to Wordfence range syntax. If not, then it would not be feasible to whitelist Cloudflare’s IPs.

    • This reply was modified 2 years, 3 months ago by  zzzaaabbb.

    So, I don’t know, but is this syntax possible to represent a range: 104.[16-31].[0-255].[0-255] ??

    Or maybe the correct method for whitelisting Cloudflare IPs is to use the “trusted proxies” section of WF Options, rather than the whitelist section in WF Options?

    CIDRs are allowed in the “trusted proxies” section, so the list of Cloudflare CIDR IPs could simply be copied and pasted?

    Hi @finlanderid
    The “trusted proxies” CIDR ranges will be ignored when Wordfence extract the IP from “X-Forwarded-For” header, I don’t think you are using this method to detect IPs on your website, is that right? could you please share a screenshot showing (Wordfence > Tools => Diagnostics => IPs) section?

    There is a tool referenced in our docs that should help you translating CIDR formats to ranges, it should be helpful in this case.

    Thanks.

    Thanks for your reply.

    I actually did go ahead and use the trusted proxies section, so that millions of Cloudflare IPs would be ignored in the “X-Forwarded-For” header.

    trusted-proxies

    The trusted proxies option allows CIDR, so that a single CIDR range (104.16.0.0/12) that covers 1 million+ IPs can easily be handled. (But I see that doing so may not be necessary, because the IP in that header is the visitor IP, not Cloudflare’s IP. It would only potentially be necessary if the IP in that header is Cloudflare’s IP.)

    Here is the image of the section that you requested:

    wordfence diagnostics IPs

    Re: my other question:

    I was primarily referring to syntax, for being able to input all of Cloudflare’s IPs in the WF option “Whitelisted IP addresses that bypass all rules.”

    It would not be feasible to input Cloudflare’s IPs in that section, unless this works:

    104.[16-31].[0-255].[0-255]

    If that ^^ does not work in WF, then you would have to do this:

    104.16.0.[0-255]
    ..etc
    ..etc
    104.16.255.[0-255]
    104.17.0.[0-255]
    ..etc
    ..etc
    104.17.255.[0-255]
    ..etc
    ..etc

    ..which is not feasible for the average person to input. It would be 4096 lines.

    bracket-ranges

    So, all this started with wondering how to get Cloudflare’s IPs input to the WF option “Whitelisted IP addresses that bypass all rules.”

    I saw that WF does allow that type of grouping of range brackets in IPv6, in order to identify larger ranges, so if WF also allows grouping of range brackets for IPv4, i.e., 104.[16-31].[0-255].[0-255], then it would be possible to get all of Cloudflare’s IP addresses into “Whitelisted IP addresses that bypass all rules”?

    cidr-to-ip-range

    Summary:

    This quest initially started with simply wanting to whitelist Cloudflare’s IPs. Then, I saw that there might be a syntax problem with getting millions of Cloudflare’s IPs input into the WF whitelist option. After that, I saw that I could use Cloudflare’s CIDR range in trusted proxies, but it appears that it’s not needed there, because the “X-Forwarded-For” header is using the visitor’s IP, not Cloudflare’s IP.

    @finlanderid I confirm that multiple brackets syntax can be used in “Whitelisted IP addresses that bypass all rules” text area.

    Sorry if I wasn’t clear enough in my previous reply, what I tried to explain is that “Trusted Proxies” will work only in case “X-Forwarded-For” header is used and was configured to include both the client IP and the proxy server IP, something like that “X-Forwarded-For: 1.1.1.1, 2.2.2.2”, which is not the case on your website.

    Thanks.

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘Wordfence has blocked Cloudflare IP address’ is closed to new replies.