Rob - 5StarPlugins / PressWizards

Thanks @matt6303 for your great review. We’ve got more in the works, and we appreciate your support of our dev efforts!

~ Rob

Hi @couponzania thanks for your great review! And the questions, they are good ones to wonder about. We do have some features to allow you full control on the rules, filter them to customize them, or use the simple checkboxes in the Premium version to allow external services and their bot user agents.

Yes, verified bots in Cloudflare’s bot listing should get managed challenge, and the visitor’s browser should pass that invisibly via the Good Bot skip rule… if they are different search engines not listed in Cloudflare’s bot list, you should find those in the Security > Analytics > Events log, and add their IPs or user agents to the Good Bot list.

All others should get Managed Challenge, and most of those are invisible to the user, or at least after the first one, so that is ok too.

Thanks so much @geoffreym for your 5 Star review. Very happy to hear that our plugin is working great for you.

@alx359 Ok v1.0.6 fixes the CF API issue with the new filters, and improved error handling so it gives more specific errors when they occur. Give it a try again.

@matt6303 I think the newly added filters created a bug, it will be fixed momentarily! Sorry about that. Look for an update very soon.

Hi @matt6303, great question! Thanks so much for using the plugin, this new version is much more secure and robust than the old one I put together in just a few hours. Please consider leaving a review here, now that it’s in the repo! It can help others decide on using and trusting a plugin, especially security plugins like this.

Let me start by advising against filtering ASNs… Unblocking or allowing an entire ASN is generally not recommended because ASNs represent large network operators and often contain thousands or even millions of IP addresses. Allowlisting one ASN can unintentionally permit a substantial amount of unrelated, and potentially malicious, traffic, especially when the ASN belongs to a major hosting or cloud provider.

Best practice is to allowlist specific IP addresses (or very small ranges) instead. Adding trusted IPs to the Good Bot Skip rule is the safest approach, because it explicitly exempts only those known addresses while allowing the rest of the ASN to remain subject to your Managed Challenge or Block rules. This keeps your protection layered, targeted, and much lower risk.

With that said, simply adding specific IPs within that ASN or adding the ASN itself to the Good Bots Skip rule will cause it to skip the Block rule, which will do what you want:

add_filter('fivestar_cfwaf_good_bot_expression', function($expression) {
    return $expression . ' or (ip.src.asnum eq 1234)'; // Replace 1234 with your ASN
});
// or ASN list
add_filter('fivestar_cfwaf_good_bot_expression', function($expression) {
    return $expression . ' or (ip.src.asnum in {26496 12345 67890})';
});

But ideally you would just add multiple IPs within that ASN:

add_filter('fivestar_cfwaf_good_bot_expression', function($expression) {
    return $expression . ' or (ip.src in {192.0.2.10 198.51.100.25})';
});

As a coding example, here is how to actually remove an ASN (2468 for example) from the Block expression, and then add it to the Challenge ASN:

// Find and remove from Block rule:
add_filter('fivestar_cfwaf_block_expression', function($expression) {
    if (preg_match('/ip\.src\.asnum\s+in\s+\{([^}]+)\}/', $expression, $matches)) {
        $asns = preg_split('/\s+/', trim($matches[1]));
        $asns = array_diff($asns, ['2468']);
        $newSet = 'ip.src.asnum in {' . implode(' ', $asns) . '}';
        $expression = str_replace($matches[0], $newSet, $expression);
    }
    return $expression;
});

// Add an ASN to the Challenge Rule
add_filter('fivestar_cfwaf_managed_challenge_expression', function($expression) {
    return $expression . ' or (ip.src.asnum in {2468})';
});

Hope that help! In summary, unblocking ASNs is usually not needed or recommended, because you can open up specific IP ranges instead which is best practice, but it can be done using the examples above.

I’ve also updated our WAF Rules Filter Knowledge Base article with these examples as well.

Thanks so much @alx359 we really appreciate your 5 Star review, and using our plugin to better secure all your sites in just a few clicks via Cloud Maestro!

~ Rob

Hi @alx359 thanks for trying our newest plugin!

That is great question… So the rules are supposed to be pretty tight, and Hetzner and a lot of others like Digital Ocean and Vultr are fairly large ASNs that a ton of malicious traffic can come from. The idea is to add those ASNs to the Challenge or Block rules, and then you add specific IPs or User Agents to the first SKIP rule, and you’re typically all good.

If you add an ASN to the Challenge vs the Block rule, I don’t see a big difference because most bots are not going to pass the challenge and so will be blocked anyway… but for your proxy use case, for a user and browser being proxied across, then the challenge rule makes total sense, and you can do it per IP or per User Agent as well, vs an entire ASN, which opens it up often too much, but hey if it works, then you’re still protected from all the others.

The plugin is made to get you to a good starting place across many domains in bulk easily, and then you can go in and still tweak them yourself as needed.

The Premium version adds awesome checkboxes for easy SKIP rule customization to allow services and their user agents or IPs to be allowed through across many domains at once as well, without having to dig into Cloudflare’s rules UI per domain, and I would def recommend the free trial to see how you like it.