Cloudflare WAF Preventing Certain Pages From Updating

There are certain pages on our WordPress site that will not update due to a JSON error. We have enabled debugging and the logs said nothing. All of our posts have no issues.

On our staging site, I disabled the WAF and the page was finally updated. I turned it off and the page no longer would update.

Is there a way to prevent this error from happening?

A good way to prevent it is to check whether the request hits URLs contain wp-admin, AND the cookie contains wordpress_sec (to check if the user has logged in), AND request method equals POST.

Then, set the action to Bypass - WAF Managed Rules.


Thank you for that.

I put the Firewall Rule in and it is just not working. My staging site will only work when I disable security in the page rules.

The console error is still the same too - POST 403.

The activity just spikes without me doing anything, I assume that is normal?

Not sure what to do from here?

Thank you for the help!

Can you please post the raw text (Expression Preview) from the firewall rule?

(http.request.uri contains “wp-admin” and http.cookie contains “wordpress_sec” and http.request.method eq “POST”)

1 Like

Have you confirmed from the Firewall Event Activity Log that it’s the WAF that’s blocking this POST?

1 Like

Yep, It states, “XSS, HTML Injection - Script Tag”.

That is the page that has our Google CSE div code. It also did that to our terms page when we added code. It doesn’t do it to any other page.

So since it is the code that I put in, how would I go about bypassing that temporarily? I have even disabled WAF for wp-admin pages and it still wasn’t having it.

This is probably what is making our Gutenberg blocks break too.

Can you post a screenshot of the expanded view for that log entry? It’s ok to black out sensitive information.

And is this Firewall Rule first on the list?

I have other logs that are the bypass rule.

Yes, it is.

Not sure if it is worth mentioning but I also get saving draft issues on some posts and I assume it may be related? That is a little harder to replicate the issue though as I am not sure what triggers it and I never logged down the console error.

That Path doesn’t have wp-admin in it. Try wp-json instead in your Firewall Rule.

Maybe even loosen up the cookie check to just “wordpress”.


Thank you for that. It still is not working, unfortunately.

Same two checks:

  1. Post the new firewall rule text
  2. Post a screenshot of the expanded firewall event

(http.request.uri contains “wp-json” and http.cookie contains “wordpress_sec” and http.request.method eq “POST”)

I loosened the cookie to wordpress and it worked

Will loosening up that cookie compromise security at all?

When I search wordpress_sec in Network via developer tools I see several of those cookies. Why won’t it work with it in the rule?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.