sfw/fix
Error 1020 high

Cloudflare Error 1020: Access Denied

A Cloudflare firewall or WAF rule matched the request and blocked it outright, returning the 1020 page with a Ray ID.

What you see

Access denied
Error code 1020
You do not have access to example.com.
The site owner may have set restrictions that prevent you from accessing the site.
Ray ID: 8a1b2c3d4e5f6a7b

What’s actually happening

The request never reaches your origin — Cloudflare serves the block at its edge. It can hit a single visitor, a whole country, or your own API depending on what the rule targets. The Ray ID printed on the page is the thread to pull: it maps to one exact event in Cloudflare's log. Often it shows up right after someone adds a firewall rule or flips on a managed ruleset.

Common causes

  • A custom WAF / firewall rule (block by country, ASN, IP, or user-agent) matched the visitor
  • A Cloudflare Managed Ruleset or OWASP rule fired on something in the request — frequently the URL, headers, or POST body
  • An IP Access Rule set to Block, or a rule blocking known VPN/datacenter ASNs that legitimate users route through
  • A User Agent Blocking rule catching a tool, scraper, or your own server-to-server client with a default UA string
  • A Zone Lockdown restricting a path (like /wp-admin) to an allowlist of IPs that the visitor isn't on

How to fix it

  1. Look up the Ray IDIn the Cloudflare dashboard go to Security → Events (Security Events). Filter by the Ray ID from the error page. The matching entry shows the action (Block), the service that triggered it (WAF custom rules, managed rules, IP access rules, etc.), and the exact rule. This tells you precisely what to change — don't guess.
  2. Edit or scope the offending ruleOnce you know the rule: if it's an over-broad country/ASN block, narrow it or switch the action from Block to Managed Challenge. If a managed rule is a false positive, add an exception (skip that rule ID) for the affected path rather than disabling the whole ruleset. For an IP Access Rule, change Block to Allow for the legitimate IP.
  3. Allowlist legitimate clientsFor your own webhooks, monitoring, or server-to-server traffic getting caught, add the source IPs as an Allow IP Access Rule, or create a WAF skip rule keyed on a secret header you send. Give those clients a real, identifiable User-Agent so they stop matching generic-bot rules.
  4. Check Zone Lockdown and Super Bot Fight ModeIf the block only happens on a specific path (admin, login, an API route), look at Zone Lockdown and at Bot Fight / Super Bot Fight Mode — both can return 1020. Add the user's IP to the lockdown allowlist or relax the bot setting for that route.

Stop it recurring

Test new firewall rules with Log or Managed Challenge actions before setting them to Block, and keep an allowlist for your own automated traffic.

Related errors

Cloudflare Error 1015: You are being rate limited

medium

Too many requests from one IP or session in a short window tripped a Cloudflare rate-limiting rule, so the edge throttles you temporarily.

Access Denied — Sucuri Website Firewall

high

Sucuri's cloud WAF judged the request malicious or your origin is blocking Sucuri's IPs, so the firewall returns its Access Denied page.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.

IP listed on Spamhaus blocklist (DNSBL)

high

Your sending IP is on a Spamhaus DNSBL as a spam source or compromised host, so receiving mail servers reject your messages.