Rant, Cloudflare Bot Fight Mode doesn’t provide firewall bypass or whitelist?

Cloudflare Bot Fight Mode….

So my rant today is directed at Cloudflare. Why? Because they really kinda pissed me off here

There is a feature under all Cloudflare plans called “Bot Fight Mode” which is supposed to help with blocking bots or automated attacks. For instance, if you suffer from card testing attacks.

The problem

Zapier

But here’s the problem, what if Cloudflare thinks Zapier is a bot? Or the origin IP address of the DNS record, aka your server. You’re screwed unless you have an enterprise plan.

The Cloudflare firewall only comes into play after Bot Fight Mode and before the IP Access Rules. So you can add the origin IP Address of your server to the IP Access Rules and bypass Bot Fight Mode. However for Zapier, since they’re on AWS that could mean allow all of AWS. Which is a huge network, and attacks can originate from AWS.

Ideally, you would put in a firewall rule to allow the Zapier endpoint *wc-zapier* to bypass the Bot Fight Mode. But you can’t.

Manual WordPress Cron via URL

If you have a large site, or just looking to change how often the WordPress cron runs. You might have set the WordPress cron to run manually versus automatically. To do this you have two options, one of them is by visiting the WordPress cron URL. This method is blocked by Cloudflare, even if the request comes from the origin servers IP Address.

Solutions and Support

There’s lots of talk on the Cloudflare community forums.

Submit service to Cloudflare for Review

If you have a bot or automation software like Zapier, you can submit it to Cloudflare to be whitelisted. As per this FAQ article.

What is cf.bot_management.verified_bot?

I’ve submitted Zapier so we’ll see what happens!

Using Cloudflare IP Access Rules

You can add the service providers’ IP’s to the “IP Access Rules” under Firewall->Tools. This works if you know the IP range of the service provider affected. However, not all service providers provide this information and you’ll have to keep it up to date.

Other Affected Software

I’ve compiled a list of software that is affected by Cloudflare’s Bot Fight Mode.

Updates

  • 09/11/2021 – added Markup.io thanks to Joe Fletcher at fletcherdigital.com also added section discussing manual WordPress cron via URL.
  • 11/03/2021 – added setcronjob.com thanks to Dave.
  • 11/03/2021 – added Cloudflare IP Access Rules solution.
10 Shares:
You May Also Like