curl -H 'X-Forwarded-For: 127.0.0.1' https://target.com/wp-login.php
Understanding the Adversary: Cloud vs. Endpoint
Before you can bypass a firewall, you must classify it. WAFs generally fall into two distinct architectural categories, and the evasion strategy differs wildly for each.
The Cloud Reverse Proxy (e.g., Cloudflare, Akamai, Sucuri)
These firewalls sit completely outside the target's network. When a user navigates to a domain, their DNS request resolves to the proxy's IP, not the actual WordPress server. The proxy analyzes the request, scrubs it for malicious signatures, and then forwards the "clean" traffic to the hidden origin server.
- The Goal: Find the origin IP and bypass the cloud proxy entirely.
The Endpoint WAF (e.g., Wordfence, iThemes Security)
These firewalls are installed directly on the WordPress server, usually as a plugin. They intercept the HTTP request after it reaches the server but before WordPress core processes it.
- The Goal: Manipulate HTTP headers and behavioral timing to trick the plugin into classifying your malicious traffic as trusted or internal.
Uncovering the Origin IP
If a target is utilizing a reverse proxy like Cloudflare, the absolute most effective WAF bypass is to simply walk around it. If you can discover the true IP address of the backend server hosting the WordPress installation, you can send your WPScan or Nuclei payloads directly to that IP, completely negating Cloudflare's rulesets.
Mining Historical DNS Data
Administrators often set up their WordPress server on a direct IP during the development phase, only routing traffic through Cloudflare right before launch.
Because DNS is a public record, this history is archived. By utilizing historical DNS tools, you can query the historical A-records for the target domain. If you find an IP address from months ago that belongs to a standard hosting provider rather than Cloudflare, you likely have the origin.
Interrogating SSL Certificates
Even if the HTTP traffic is routed through Cloudflare, the origin server itself must possess an SSL certificate to communicate securely with the proxy.
Search certificate databases for the target's exact SSL certificate hash or Subject Alternative Name (SAN). Often, the origin server will respond to crawlers directly, revealing its true IPv4 address alongside the target's certificate.
Triggering Outbound Server Connections
If passive intelligence fails, you can force the WordPress server to reveal itself. This requires finding a function within the WordPress application that causes the server to fetch external data.
- Pingbacks/Trackbacks: If XML-RPC is enabled, you can send a pingback request pointing to a server you control. The origin server will reach out to your listener, leaving its true IP address in your access logs.
- Malicious SSRF (Server-Side Request Forgery): Outdated image compression plugins or PDF generators often fetch remote URLs. Feeding them a Webhook URL allows you to capture the origin's footprint.
Header Manipulation and Spoofing
If you are facing an endpoint WAF like Wordfence, or if the origin IP is completely locked down to only accept Cloudflare IP ranges, you must bypass the firewall by exploiting its trust relationships.
Endpoint WAFs rely heavily on HTTP headers to track user sessions, identify IP addresses, and enforce rate limits. By injecting or manipulating specific headers, you can achieve remarkable evasion.
Exploiting the X-Forwarded-For Trust
When a reverse proxy forwards traffic to WordPress, it adds the X-Forwarded-For (XFF) header to tell the server the original user's IP address. Many endpoint WAFs blindly trust this header.
You can spoof this header to infinitely bypass IP-based lockouts.
X-Forwarded-For: 1.1.1.1Spoofing Trusted Internal Infrastructure
Some WAF configurations explicitly whitelist requests originating from the local loopback address or internal network ranges.
Inject the following headers into your payload requests:
X-Originating-IP: 127.0.0.1X-Remote-IP: 127.0.0.1X-Host: localhost
Masquerading as a Search Engine
Firewalls rarely block Google. Change your scanner's user agent to match the official Googlebot or Bingbot strings. While enterprise WAFs will perform reverse DNS lookups, many budget endpoint firewalls will simply wave the traffic through.
Behavioral Camouflage and Proxy Networks
When facing a highly tuned, modern enterprise WAF, header spoofing is insufficient. Behavioral analysis engines monitor the cadence, volume, and geographical distribution of your HTTP requests.
The Necessity of High-Fidelity ISP Proxies
To sustain large-scale tactical audits, you must transition away from cheap datacenter proxies and integrate dedicated ISP proxy subscriptions. These use residential IP addresses assigned by real consumer internet service providers.
Desynchronizing the Attack Cadence
Automated tools are mathematically predictable. To achieve true behavioral camouflage, you must introduce jitter (randomized delays) into your tooling.
- Instead of 10 requests per second, configure your scanner to randomize between 2 and 15 requests, with a 300ms to 1200ms delay between packets.
- Combine this jitter with your ISP proxy rotation.
The End of Phase 2
You have mapped the perimeter. You have identified the zero-days. You have discovered the custom logic flaws. And now, you have slipped through the defensive firewalls undetected.
The reconnaissance is over. The analysis is complete.
You are now standing inside the perimeter with a weaponized payload and a direct line of sight to the vulnerable WordPress core. In the next phase of this methodology, we transition from finding the holes to stepping through them. We move to Phase 3: Exploitation.