Enabling APO is now preventing images from appearing on other websites

Recently, I had a team enable Cloudflare’s Automatic Platform Optimization for WordPress on: bartholomew.foundation website. However, shortly after that, I noticed two different websites’s images (which are linking content from there) disappear and now display 403 Forbidden errors.

If you visit: archons.org, scroll halfway down the page under the section, “The Ecumenical Patriarch Bartholomew Foundation”, only the headlines appear, and no images.

And, if you visit: Founders – Order of Saint Andrew the Apostle, Archons of the Ecumenical Patriarchate and click on “Portrait View” (and not “List View”), you will see broken images throughout. This is populating from the Bartholomew Foundation website, and then by clicking “Founders” at the top menu bar.

I noticed that “Hotlink Protection” is not currently enabled either.

I thought that perhaps a Firewall Rule needed to be established on archons.org site to permit, but I’m uncertain how to establish this, if in fact this is the solution.

I am not a developer, so I am trying my best to get this rectified by opening a ticket on my own with hopes a solution can be proposed in the simplest terms I would be able to understand. Thank you everyone!

The domain https://bartholomew.foundation/ is forbidding other domains to call it’s images from their sites.

On which domain is it disabled?

  1. https://www.archons.org
  2. https://bartholomew.foundation


The blocked images are ALL from https://bartholomew.foundation:

1 Like

Hotlink is not enabled on bartholomew.foundation site.

Also, The Ecumenical Patriarch Bartholomew Foundation (feed burner) which is consuming https://bartholomew.foundation/feed/ is not rendering either. That feedburner is what populates the content on archons site, so, something is not configured right.

I’m not seeing a cache HIT for your homepage. Are you sure you have APO enabled? It looks like you’re also using WP CF Super Cache, which pretty much does the same thing as APO. Still no HIT, though.

1 Like

It is, but seems not to be at Cloudflare. On your backend, or other service behind Cloudflare there is a setting, that does prohibit the call to it’s pictures from another domains, or more specific if your referrer does not match “https://bartholomew.foundation
Also Cloudflares cache at https://bartholomew.foundation is configured to bypass images.


$ curl -I -e https://www.archons.org https://bartholomew.foundation/wp-content/uploads/2021/06/column.jpg 2>&1 | grep HTTP/
HTTP/2 403
$ curl -I -e https://bartholomew.foundation https://bartholomew.foundation/wp-content/uploads/2021/06/column.jpg 2>&1 | grep HTTP/
HTTP/2 200

If the page the image is getting called from does not match https://bartholomew.foundation the service behind https://bartholomew.foundation refuses to serve the image and instead fires a 403 error.


Ok, I deactivated APO last night to see if this helped. I just re-enabled APO and can see “HIT”. I de-activated WP CF Super Cache. I can now see images appearing on members URL. However, I have not seen the images appear on archons site.

Just to add a note, I am not sure why using another cache plugin alongside with the APO in a combination? I am afraid it can create issues.

1 Like

The WP CF Super Cache was enabled PRIOR to enabling the APO. Until sdayman mentioned it, I forgot we had this enabled. Would having Hummingbird plugin enabled also affect/help results?

This is a 3rd plugin for caching - haven’t used it and first time I hear for it Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS – WordPress plugin | WordPress.org.

Due to cache issues, I am afraid it all can have some weird impact while using them in a combination. Just my opinion as far as users reported having some issues using multiple cache plugins (with or without APO) while using Cloudflare. So, if I may suggest please take it with a caution when troubleshooting the issue.
Basically, the features that those plugins offer, all of them Cloudflare has already implemented and Cloudflare can reduce the work at the origin server so no need to install and use all those plugins alongside it - but, only my opinion, again, cannot say it in general but rather from what I’ve seen from the other topics.

1 Like

It could. If the config of the plugin allows to activate/deactivate certain parts modularly please disable the “Cache” option, the optimization options you can keep activated.

Disable all other caching plugin aswell, since APO is taking over that part.
It also would be important that we know what website you are talking about when you say you have done something:

  1. https://www.archons.org
  2. https://bartholomew.foundation

Which of them are you talking about?

I remember I saw x-frame-options HTTP header, but unsure on which domain.
If that could have impact, as your plugin is using “RSS feed” to fetch the items and display them in a “carousel” style?

It would be good to “fetch and download” them to your server, somehow, and then display it from your server - if possible.
But, I am afraid that requires some programming work as I assume plugin does not offer that kind of displaying 3rd-party content from external domain that way.

The issue about the images is, I am afriad because:

If the plugin reads the feed:

As far as I see from the feed link you provided, the RSS feed item does not contain any images and media tag like:

<media:content medium="image" 

Only I see it’s image added inside:


→ the <img> from the content could be, but unaware if the plugin actually recognized it fetched and outputted it correctly from the <content>?

1 Like

Everything I’ve done (disabling WP CP Super Cache Plugin and re-enable APO) has been done on bartholomew.foundation site.

Is there any chance you are using Varnish? Or any other different reverseProxy between Cloudflare and your WordPress application?

After trying to get the image https://bartholomew.foundation/wp-content/uploads/2021/11/hah-speaking.jpg on my test website using basic HTML <img> tag, I can confirm it’s also 403 forbidden.

As @M4rt1n suggest and already notice about x-frame-options: contains the value SAMEORIGIN, I am afraid you cannot do anything about it if it’s not your own website.

UPDATE: Or, I am wrong, as far as this should affect <frame> tag only?

Maybe some other HTTP header like Referrer-Policy?

He does own (or at least has access) to both sites. The problem is, I dont know where exactly it is implemented. Does not seem to come from Cloudflare, but from the origin or whatever is behind. But he will have to figure out where on his origin it is implemented. I guess it is related to a Plugin or maybe a local Varnish instance to cache things. maybe even .htaccess or Nginx config. But Referrer-Policy is “same-origin” like you just stated.

I thought maybe Varnish as he does have these additional headers:

1 Like

Hopefully, no Firewall Events at Cloudflare dashboard so far for now being blocked or challenged on one or another domain due to, I assume WordPress/version_number for the user-agent and the HTTP/1.0 request being made from one website to another?

As both websites using Cloudflare …

@user20672 Can you check this?
Have you tried allowing IP of the server at a Firewall Rule on both domains in Cloudflare dashboard?

May I ask if you already written a ticket to Cloudflare Support due to this issue?

Another thinking related to how the plugin works.

If it does fetches each time the same amout of images for each time your visitor visits your homepage or hits refresh button, maybe Cloudflare is detecting it as a potential threat and therefore blocks itself out there? → which consumes a lot of resources if you have a lot of visitors (despite the images are not being cached by the stated HTTP headers?)

  • be it 500 pageviews on homepage per day, multiplied by 12 images, equals a lot of requests (6000) for which Cloudflare could understand it’s a bot trying to fetch the content and challenge/blocks it …

Right… I do not either. I just disabled Hummingbird temporarily to see if this fixes. Purged cache all around, and still nothing. Going to perform some plugin updates next and see if this helps anywhere. I’m afraid I do not know what “Varnish” is or does, so it is unlikely I have this enabled.

may I ask you for your origin IP? You don’t have to expose it, but if you do I could run some tests against your origin directly. Also: you can share it in a PM with me if you don’t want it to be available publicly.

I want to make sure, this 100% is not related to Cloudflare.

I’m afraid I’m new at this… I do not know how to PM you. Please let me know, and would love to connect.

I wrote you a PM, feel free to share the IP there. For everything else, continue here so others can contribute :slight_smile: