Bot protection shouldn’t block WooCommerce mobile app
-
Greetings, Sensei,
I love this plugin. Everything except for the admin_menu “icon” (nf_icon.png) which should be a simple graphic SVG to match every other admin menu item. Anyway, unfortunately, two great NF features must be disabled in order to use the WooCommerce mobile app:
- Firewall Policies > Protect admin-ajax.php against bots
- Login Protection > Enable bot protection
I determined this after seeing the following entries in the Firewall Log:
23/Sep/25 23:00:29 #5444605 MEDIUM – 73.217.86.71 POST /wp-login.php – Blocked access to the login page – [bot detection is enabled] – http://www.sapientstews.com
23/Sep/25 23:01:28 #7850489 MEDIUM – 73.217.86.71 GET /wp-admin/admin-ajax.php – Blocked access to admin-ajax.php – [bot detection is enabled] – http://www.sapientstews.comI don’t have the Jetpack plugin installed (good riddance), so I’m using the “Sign in with store credentials” option when logging in via the Woo mobile app. Upon entering a username and password, I click Continue, at which point the
wp-login.phpblock is triggered. The app then suggests creating an application password as an alternative login method, and attempting this alternative is what triggers theadmin-ajax.phpblock.Would you be willing to update your bot protection logic to allow the WooCommerce mobile app?
In case this helps, here’s how I was able to successfully protect my login page in Cloudflare while allowing mobile app logins:
(http.request.uri.path contains "/wp-login.php" and not http.user_agent contains "WooCommerce" and not http.user_agent contains "WordPress" and not http.user_agent contains "wc-android" and not http.user_agent contains "wc-ios") or (http.request.uri.path contains "/my-account/") or (http.request.uri.path contains "/checkout/") or (http.request.uri.query contains "wc-ajax=checkout") or (http.request.uri.path contains "/contact" and not http.request.uri.path contains ".")Essentially my Cloudflare rule says to show a Managed Challenge if the URI Path contains “/wp-login.php” and the User Agent does not contain “WooCommerce”, “WordPress”, “wc-android”, or “wc-ios”. I’m using the mobile app on iOS, but my rules are also tested and working on Android.
On the PHP side of things, I had to modify my
login_redirectaction in order to see the application password alternative:// Upon logging in, redirect shop_manager to Inventory, kitchen_staff to Orders, and accountant to Analytics
function my_login_redirect( $redirect_to, $request, $user ) {
if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
return $redirect_to;
}
if ( defined( 'DOING_AJAX' ) && DOING_AJAX ) {
return $redirect_to;
}
$user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';
if ( strpos( $user_agent, 'WooCommerce' ) !== false || strpos( $user_agent, 'WordPress' ) !== false
|| strpos( $user_agent, 'wc-android' ) !== false || strpos( $user_agent, 'wc-ios' ) !== false ) {
return $redirect_to;
}
if ( isset( $user->roles ) ) {
if ( in_array( 'shop_manager', $user->roles ) ) {
return admin_url( 'admin.php?page=woocommerce-inventory' );
} else if ( in_array( 'kitchen_staff', $user->roles ) ) {
return admin_url( 'admin.php?page=wc-orders' );
} else if ( in_array( 'accountant', $user->roles ) ) {
return admin_url( 'admin.php?page=wc-admin&path=/analytics/overview' );
}
}
return $redirect_to;
}
add_filter( 'login_redirect', 'my_login_redirect', 10, 3 );FYI, I don’t really use the WordPress or Jetpack mobile apps, but it’s possible those are also blocked.
The page I need help with: [log in to see the link]
You must be logged in to reply to this topic.
