Cloudflare blocks POST request to wordpress endpoint

We are running a wordpress site that uses a Quickbooks Plugin to sync with Quickbooks. Cloudflare is blocking the POST request to our endpoint and I do not know why. When “Pausing” cloudflare, everything works. We are not using WAF, but even after adding a rule to explicitly allow the endpoint it still fails.

Any help in the right direction would be much appreciated.



  1. Visit your website and perform the action that would normally result in a request being blocked…
  2. Wait a few minutes
  3. Go to Dashboard > Security > Events. If the request was in fact blocked by Cloudflare, you should find an event related to that block action. Depending on your site traffic, you may need to filter by IP address, User Agent, URI Path, etc. to find it. Check the “Service” that blocked it.
  4. If this was
    a) Bot Fight Mode, disable this feature.
    b) Super Block Fight Mode, create a WAF Custom Rule to Skip it for the specific situation, with relevant conditions such as the URI Path and the visitor’s IP, for example;
    c) WAF Managed Rule, you need to create a WAF Exception for that rule. See: Add a WAF exception in the dashboard · Cloudflare Web Application Firewall (WAF) docs
    d) WAF Custom Rule, you need to edit it accordingly.

That indicates that perhaps the requests are not being blocked, but not completed due to a 5XX error. If you do not find any Security Events related to these requests, please go to Analytics & Logs, then filter by

Edge error code greater or equals 500


I do not see any blocked event by default.

We were not using any WAF rules; however, in an attempt to solve this, I implemented a WAF rule to explicitly allow the endpoint && request method. After that was implemented I do see the matched security event - although the request still fails (443 - unauthorized). The action that I have is “Skip” and I’ve selected to skip everything possible.

I am looking at Cloudflare because of the response packet from the endpoint:



[status] => Array


[protocolVersion] => 1.1

[statusCode] => 200

[reasonPhrase] => OK


[header] => Array


        [Date] => Wed, 19 Jul 2023 18:47:35 GMT

        [Content-Type] => application/json

        [Transfer-Encoding] => chunked

        [Connection] => keep-alive

        [x-powered-by] => PHP/8.1.20

        [vary] => Accept-Encoding

        [strict-transport-security] => max-age=7776000; includeSubDomains; preload

        [x-frame-options] => SAMEORIGIN

        [x-content-type-options] => nosniff

        [CF-Cache-Status] => DYNAMIC

        [Report-To] => {"endpoints":[{"url":"https:\/\/\/report\/v3?s=QaW1rpPkFan7vxkyI36kuqBq%2B1cp0xLYiobHwXMZXwJ%2FKAXK2kquEPlV%2BKJyvfhu6phQAZCaa98mjz9owQIw261n%2BaFih4ObPPIhfV889IH4SQY7nbxwstmhGMX4ePOK4Q%3D%3D"}],"group":"cf-nel","max_age":604800}

        [NEL] => {"success_fraction":0,"report_to":"cf-nel","max_age":604800}

        [Server] => cloudflare

        [CF-RAY] => 7e95222bed582273-ORD

        [alt-svc] => h3=":443"; ma=86400


[body] => {"success":0,"message":"Not Authorized"}


In addition, when “pausing” cloudflare, the action passes.

I do wonder what the security level “medium” implements by default, and if that may have something to do with it.


The request status is actually 200, not 443 (which is probably a reference to the default port number used by HTTPS connections.)

This response as “Not Authorized” apparently comes from the WordPress endpoint itself, and it seems to be related to authentication: But that’s odd, as a non-authorized request would normally get one of 400 Bad Request, 401 Unauthorized, 405 Method Not Allowed, or 403 Forbidden status codes.

Somehow your origin seems to be expecting something that is not being passed on by Cloudflare. Perhaps a cookie? Or a different IP address…Have you set your origin server to restore original IPs?

Security level is a broad net based on IP reputation only. It would block requests coming from IPs with a threat score above 14. It’s not related to what you’re seeing, as the status code 200 means the request was not blocked.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.