Cloudflare Blocking WordPress Rest API

I’ve been experiencing an issue with one of my plugins on WordPress, my providers support asked me to add a page rule to my Cloudflare configuration to disable all security and caching to their REST API endpoint but have now come back to me and said:

“…seems like Cloudflare is still blocking the request, and it’s assuming the request is a DDOS attack.”

Their original request:

“Cloudflare is blocking the rest-API request. You need to exclude blocking/ whitelist the request. Login to your Cloudflare dashboard and add page rules. See the attachment and replace with your website url.”

I believe I have done everything correctly but there must be something I am missing.


I’ve also added a firewall rule to allow traffic to any URI containing /wp-json/ and am seeing some traffic pass through that rule, but it doesn’t allow me to include multiple URIs in one rule so I can’t add each different endpoint without running out of my rule allowance?

A firewall rule can mix and match conditions, including URIs. If you post what you have so far, we can make some suggestions.

Thanks for the swift reply sdayman. I have temporarily paused Cloudflare and confirmed that doing that fixes the issue so it looks certain to be a misconfiguration on my part. I have:

  1. Added a “page rule” to disable security and bypass caching for any URI matching - this is the API instructed by my provider. Screenshot of my rule to verify my settings.

  2. Added a page rule to bypass ALL caching across the entire domain. I have several caching solutions already I don’t want to conflict.

  3. Added a firewall rule to allow ALL traffic to URI containing /wp-json/ which is the WordPress API root endpoint.

In the Firewall Activity Log, find one of the requests that was blocked and take a screenshot of the expanded log entry - if it was blocked by (Super) Bot Fight Mode, you can’t override that with firewall rules - only by whitelisting the IP address it came from in IP Access Rules.

Ok will try find that now… let me check :slight_smile: Thank you.

I have checked in the firewall rule activity and I can see two JS Challenge entries relevant, screenshots below, but I can also see several ALLOWED entries that are relevant.

Yeah - Bot Fight Mode can’t be modified by Firewall Rules since it runs before the WAF in the traffic flow.

You can only blanket whitelist the IP address from all bot/WAF features - or disable Bot Fight Mode and implement your own firewall rules that act off threat score or challenge ASNs like Digital Ocean and Google (which are usually automated traffic).

As you can see - both the allowed and challenged URIs have the same root - /wp-json/ so I can’t understand why one would be allowed and the other challenged. But it also looks like the same type of request is challenged both times - the “push” to the API

Ah, OK - so it seems my only realistic way forward here is simply disable Bot Fight Mode, if the IP address changes each time?

I’ve just noticed that in my page rules it states that ONLY ONE rule will trigger per URI - so if both my rules match that URI then only the first one will trigger? Which means that all I was doing was disabling caching - but not disabling security on that second rule? Have I understood that correctly? And does the “disable security” include disabling Bot Fight Mode on that page?

Only IP Access Rules can bypass Bot Fight Mode since otherwise bots are stopped before hitting the WAF.

As for will only one run per match, yes.

  • Only the highest priority matching page rule takes effect on a request.

Surely “Page Rule” hits before IP Access and then Bots no?

So my page rule, set to “Disable Security, Security Level: Effectively none” should bypass the Bot Fight Mode too no? Or is Bot Fight Mode not included in “Disable Security, Security Level: Essentially Off,”

Only IP Access Rules can bypass Bot Fight Mode - Bot Fight Mode could be compared to a big, indiscriminate hammer for automated traffic, there isn’t any way to customize it.

Bot Fight Mode is not included in Disable Security and Security Level is just Managed Challenges based on the threat score of an IP address.

Another good resource is this community post - Super Bot Fight Mode - What to know

I am having the same exact issue (fluent support plugin ticket emails being blocked by Cloudflare)…
Did you figure this out yet?

Open the Firewall Activity Log, find one of the requests and it’ll say which ruleset or feature is blocking it.

Unfortunately the only way to solve it was to completely deactivate Bot Fight Mode from Cloudflare.

Doing so immediately fixed my issue and all tickets started coming through with no issues since I did that.

Unfortunate as it means Bot Fight Mode has to be completely disabled site wide. There are no rules that encompass it.


1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.