Cloudflare OWASP Core Ruleset causing 403 errors on media file uploads

I started getting 403 errors today after making a few changes.

At first, I thought the issue was “Tiered cache”, not so.

Looks like the issue is caused by “Cloudflare OWASP Core Ruleset”. When it is turned on, it breaks wordpress media upload. I found errors related to my IP in the logs that stated that Cloudflare issued a managed response and pointed me to the ruleset.

To solve this, I had to exclude “/wp-admin/async-upload.php” from the OWASP ruleset.

in logs: 949110: Inbound Anomaly Score Exceeded

FYI.

OK, it’s even worse than that. It triggers not just on file uploads, but also in background saves.

I had to add exceptions to file uploads and /wp-admin/

If more issues continue, I’ll have to turn off OWASP completely. it looks like it’s not quite compatible with Wordpress (on the admin side).