How to set up Cloudflare to not block feed and image downloads?#

Why Cloudflare blocks Mergado even with the IP address allowed#

If your online store uses Cloudflare, Mergado (or one of its extensions, such as Feed Image Editor) may fail to download your feed or product images, even if you’ve already added its IP address to the whitelist.

The reason is that Cloudflare may not recognize automated feed downloads as regular traffic, but as suspicious activity, and may block it or show it a security challenge. This is a page like “Just a moment…”, which only a browser with JavaScript can solve — not an automated download. This mainly affects the following Cloudflare features:

  • Bot Fight Mode / Super Bot Fight Mode,
  • Managed Challenge,
  • Browser Integrity Check,
  • Hotlink Protection,
  • Security Level,
  • WAF Managed Rules.

Simply adding the IP address to the older IP Access Rules (whitelist) often doesn’t disable these features. In addition, we’re seeing Cloudflare gradually phase out this option on some accounts, replacing it with the more flexible WAF Custom Rules tool. This guide shows you how to set up a reliable exception for Mergado using it.

Which IP addresses you need to allow#

  • 81.31.39.112 – the IP address Mergado uses to download your input feed.
  • 81.31.39.116 – the IP address used by some extensions that download product images (e.g. Feed Image Editor, Bidding Fox, Pricing Fox, Fox Data+).

If you use other Mergado extensions as well, check their IP address in the article What IP addresses does Mergado and its extensions use?

Step by step: setting up the exception in Cloudflare#

a. Create a new Custom Rule#

  1. Log in to your domain management in Cloudflare.
  2. In the left menu, go to Security → WAF → Custom rules (or just Security rules, depending on your interface version).
  3. Click Create rule.

b. Set the condition for Mergado#

In the “When incoming requests match…” section, set the condition to match both Mergado IP addresses, for example:

(ip.src eq 81.31.39.112) or (ip.src eq 81.31.39.116)

We recommend that you don’t target a specific URI path or HTTP method in the condition. The simpler the condition, the lower the risk of a mistake, and since it only covers two specific trusted IP addresses, it doesn’t reduce security for the rest of your traffic in any way.

Watch out for typos. It’s easy to accidentally add an extra space to a text field (e.g. " /feed.xml" instead of "/feed.xml") or get a digit wrong in an IP address. Such a condition will then never match anything, the rule will never apply, and you’ll end up looking for the problem elsewhere. Always check the final form in the Expression Preview field below the condition.

c. Set the Skip action and check all components#

  1. In the “Then take action…” section, choose the Skip action.
  2. Check all the options under “WAF components to skip”:
    • All remaining custom rules
    • All rate limiting rules
    • All managed rules
    • All Super Bot Fight Mode Rules
  3. Also expand “More components to skip” and check these as well:
    • Zone Lockdown
    • User Agent Blocking
    • Browser Integrity Check
    • Hotlink Protection
    • Security Level
    • Rate limiting rules (Previous version)
    • Managed rules (Previous version)

If even a single item is left unchecked, it can still keep blocking downloads.

d. Place the rule first#

In the “Place at” section, choose to have the rule evaluated first (or right after any other technical rules unrelated to security). Cloudflare evaluates custom rules in order from top to bottom, and once an earlier rule blocks a request or shows it a challenge, your whitelist rule may never even be reached.

If you have other security rules in Cloudflare (e.g. blocking traffic from a specific country, bot protection, etc.), make sure none of them is placed above the Mergado rule.

e. Save the rule#

Click Save. The change usually takes effect within a few seconds to minutes.

What to do if the problem persists even after setting up the rule#

Verify the rule is actually working#

  1. In Cloudflare, go to Security → Events (or Security → Analytics → Events).
  2. Filter events by source IP address (81.31.39.112 or 81.31.39.116).
  3. For a specific event, check the “Matched service” section. It should show Action taken: Skip along with the name of your rule.

If you see a different action instead (e.g. Managed Challenge or Block) and a different rule, it means your whitelist rule didn’t apply at all, and you need to check the condition (step b) or the rule order (step d).

Also check security on the hosting side#

If your online store runs on managed hosting (e.g. Kinsta, WP Engine, and similar services), it may have its own bot protection independent of Cloudflare, which needs to be set up separately. Even after configuring Cloudflare correctly, a request to download the feed or an image may still result in a 403 Forbidden error — this time from the hosting, not from Cloudflare.

In that case, look for a bot protection section (e.g. “Bot protection”) in your hosting administration and add both Mergado IP addresses to the exception list there (often called “Always allow” or similar). For some extensions (e.g. Feed Image Editor), you can also add the user agent it identifies itself with to the exceptions: feedimageeditor/2.0.

How to tell whether Cloudflare or the hosting is blocking the request#

A technical test of the server response can help (e.g. running curl -I on a specific image or feed URL). The key thing to look for is the cf-mitigated: challenge header in the response:

  • If it’s present, the request is being caught by Cloudflare (continue with the steps above).
  • If it’s missing, but the request still results in a 403 error, it’s most likely protection on the hosting side, not Cloudflare.

Headers like server: cloudflare or cf-ray appear on every response that passes through Cloudflare, whether Cloudflare blocks the request or simply forwards traffic on to the hosting, so they alone don’t tell you who blocked the request.

FAQ#

Why isn’t it enough to add Mergado’s IP address to the older whitelist (IP Access Rules)?#

IP Access Rules can let a request through, but they may not disable all the other protections (Bot Fight Mode, Managed Challenge, Browser Integrity Check, etc.) that can still block a feed or image download. It’s more reliable to create a Custom Rule with the Skip action, which explicitly turns off these protections for the given IP addresses.

Do I really need to check every single component under “WAF components to skip”?#

Yes, we recommend checking all of them. The rule only targets two specific, trusted Mergado IP addresses, so this doesn’t reduce your website’s protection against the rest of your traffic. If even a single item is left unchecked, downloads can still keep failing.

I’ve set everything up according to the guide and the feed/images still aren’t downloading. What now?#

In Cloudflare, check the Security → Events section to see which action and which rule Cloudflare actually applied to requests from IP 81.31.39.112 or 81.31.39.116. If you see an action other than Skip, go back through the rule’s condition (check for a typo) and its order among the other rules. If the rule is working correctly and you’re still getting a 403 error, it may be a separate protection on your hosting side.

How do I know Mergado is actually downloading the feed?#

In your Mergado project, go to the History page and filter the Event type column by Download (or Product import). You’ll see records of individual attempts, including the time and the number of products downloaded.

Was this article helpful?