Are you noticing availability issues with your uptime monitoring solution? Do customers report your website is down, even though it works fine for you? If you are using WordPress, Wordfence, and Cloudflare it could be that Wordfence is blocking Cloudflare!

Understanding the roles WordFence and Cloudflare play in WordPress Security

WordPress is a convenient platform for bots and hackers to attack

As you know, Wordfence is often a victim of circumstance in the web world. It’s huge success as the CMS of choice means there are numerous targets with well documented security flaws. And let’s face it, we’re creatures that will often put off WordPress maintenance and updates to spend time on the issues screaming at us instead of that quiet little website that still seems to work just fine in the background.

Web Application Firewalls like Wordfence are frequently used to improve the security of WordPress sites

One common approach that web developers will take to protect WordPress is to use a Web Application Firewall, like Wordfence. It’s hugely popular, and even the free version is quite powerful. This plugin works to monitor visitor traffic and sniff out the signature(s) of a WordPress attack. If it detects a computer executing a brute force password attack, exploiting common documented vulnerabilities, or even connections attempting to use commonly exploited WordPress usernames, WordFence can ban that IP address from further connections to foil their malicious intent.

There are other popular WordPress firewalls out there. I just happen to prefer and use WordPress, and with more than 4 million installations out there so do many other WordPress admins. But if you come here and use a different WAF, you might well find similar functionality in your solution. Just seek to apply the same concept to your in place solution.

Cloudflare is used to improve website performance and increase website security

Cloudflare is a great freemium service that is often put in place to optimize the speed and security of your WordPress website.

Some common advantages offered by Cloudflare include:

• Fantastic DNS Services – They’re fast and they offer an API to integrate DNS with other platforms on the web like web hosting control panels.
• Low Cost Domain Registrations – Supposedly Cloudflare offers domains at wholesale cost. I have no idea if it’s true or not, but I can say they offer the lowest rates that I have seen.
• Proxy Service – This is a key feature of Cloudflare. They sit in between your visitor and your website. It allows them to tweak the user experience in many ways:
  • Intelligent Traffic Routing – Cloudflare’s network is ultra-high performance. They’re essentially offering your visitor an express lane.
  • Content Delivery Network – Cloudflare will cache website assets around the world and serve them directly to the visitor. Once again, a big speed improvement!
  • Eliminate Bots and Hackers – If configured properly, Cloudflare can identify an attacker and remove their site access at the network layer. If an attack is especially bad, turn on Bot Fight Mode and Cloudflare will start issuing those annoying Challenges. While an unpleasantry for users, it’s much better than suffering downtime from a Denial of Service Attack.
  • Origin Verification – You can get an SSL certificate direct from Cloudflare and install it on your web server. If your server’s certificate doesn’t match what Cloudflare expects, it can cut off communication with your server entirely.

As you can see, when you use Cloudflare as the Proxy and if it happens to carry traffic to your website that violates a traffic rule, it could possibly lead to the Cloudflare IP address earning a temporary ban. But it wasn’t really Cloudflare attacking your site, it was somebody else that happened to be using the expressway. Now everybody else using that Cloudflare IP address is going to be blocked, as well. This can often be the root cause of site availability problems.

Diagnosis: See if Wordfence is blocking Cloudflare IP Addresses

If your web stack and your client issues match this scenario, first go to your Wordfence Firewall page (Wordfence > Firewall) and look to see what IP addresses are getting banned.

Some clues that I was able to pick up from this list:

• The IP addresses are in two close ranges. Chances are each range is controlled by the same company. Both ranges might also be controlled by the same company.
• The attacks are coming from the United States. Most hackers will attack across International boundaries as a form of legal protection. Seeing only US IP’s is pretty unusual.

Knowing that Cloudflare is a part of this web solution, I referenced Cloudflare’s list of IP addresses and saw they were also appearing on my banned list. Aha!

Remediation: Configure Wordfence to use the visitor IP Addresses provided by Cloudflare

Web traffic from Cloudflare is sent with a header called CF-Connecting-IP. This is the actual IP address that made the request to your website, and it is the IP address responsible for naughty behavior. It’s not Cloudflare’s fault, they just provide the expressway. But if WordFence isn’t configured properly, it will treat the offender as the Cloudflare IP Address and issue the ban accordingly.

Telling Wordfence to use the CF-Connecting-IP header information is quite easy, if you know what you are looking for. Unfortunately where you need to go is buried in the plugin interface. Go to Wordfence > All Options > General Wordfence Options (it’s an accordion).

Check the appropiate box, and you should see the Detected IP(s) change from a Cloudflare IP address to your actual IP address. You can verify your IP Address using any number of services. I’ve used IP Chicken for years.

If you have properly diagnosed your problem as Wordfence is blocking Cloudflare traffic, you should see your availability problems disappear, and you’ll also notice that your list of banned IP addresses should become more diverse over the next 24 hours.