I’m getting a 403 Forbidden error in WordPress admin when trying to edit a blog post using the Block editor. I think it’s related to Cloudflare WAF or caching. I’ve disabled the WAF managed rules and cleared the cache and added a cache exception for x-wp-nonce headers but it’s still happening.
I disabled all Cloudflare optimization settings as well so it’s basically at the point where none of my Cloudflare optimizations are active but I’m still getting the error, which leads me to believe there’s an issue with Cloudflare caching.
The site has been running for more than a year with Cloudflare DNS but it wasn’t until a few days ago that I upgraded to a paid plan and configured some security and optimization settings. I don’t have any other Security or Caching plugins installed in WordPress and I’ve tried resetting the .htaccess file as well.
You’re being challenged by OWASP:
(were since now you have OWASP disabled)
The challenge is issued because the total score from the triggered signatures added up to 35.
There are several options to solve this. One of them is to disable OWASP, as you did, another one is to disable rules you feel it might not make sense, yet another is to increase the OWASP score threshold to a higher value, but in my opinion, the best way to overcome this without compromising security would be to create an exception for your particular case, trying to be as specific as possible.
Exceptions can be created under Security > WAF > Managed rules > Add exception
Ok, I can make changes now in incognito so it was a caching issues after the OWASP was disabled. Thank you. I will start to revert the other changes and see if I run into any other issues.
Let us know what you think of the solution by logging in and give it a or .
Solutions help the person that asked the question and anyone else that sees the answer later. Login to tell us what you think of the solution with a or .
or 
.