I'm hosting a project on Railway, and I'm having a tough time with spam bot and vulnerability scanner requests targeting my API endpoints. These requests come in regularly, often multiple times a day, and they're clearly looking for vulnerabilities. My error logs are filled with entries like requests for non-existent files, including common WordPress paths and sensitive files like .git and backup.zip. I've tried setting up a Cloudflare Web Application Firewall (WAF) in front of my services, but it doesn't seem to be working as expected. I'm wondering how I can effectively block or filter these kinds of requests before they reach my app. Is Cloudflare the best solution, or should I look into other options like Railway settings, middleware, rate limiting, or custom firewall rules?
4 Answers
Yep, those are typical bot scans. Cloudflare can block a lot if you set up custom firewall rules, specifically for paths like `/wp-*`, `/.git`, and `backup.zip`. It's also wise to implement rate limiting for unusual requests. If some still slip through, adding middleware in your Railway app could help filter them out early on. Seems like Cloudflare is solid, just needs some fine-tuning on the rules.
To really tackle this, you'll want to tweak your Cloudflare WAF settings to ban those paths one by one. It might feel like a hassle, but you can also modify your app to detect those requests and handle them in a way that doesn't just send a basic 404 response. Honestly, you can't completely stop these bots, but you can definitely slow them down or not respond at all, which can be a fun strategy.
It's wild how this issue hasn't been completely fixed yet, even in 2025!
For one of our high-traffic sites, we set up a managed challenge for requests outside our normal user locations. This significantly reduced bot requests—like, from 80k to 200k requests a day down to hardly any. Just a thought if you have higher traffic volumes.
That's an interesting tactic! I think I'll give it a try!
First off, get ready to accept that these requests are just part of hosting, especially with WordPress. You should optimize your server so that it doesn’t waste resources responding to these zip file requests. If your stack allows it, consider using a tool like fail2ban to block IPs after a few failed attempts, especially for things like brute force attempts on wp-login.php.
I'm not even using WordPress, so I'm surprised these requests show up!
I think this is the strategy I'll go for!