Recently, I had a team enable Cloudflare’s Automatic Platform Optimization for WordPress on: bartholomew.foundation website. However, shortly after that, I noticed two different websites’s images (which are linking content from there) disappear and now display 403 Forbidden errors.
If you visit: archons.org, scroll halfway down the page under the section, “The Ecumenical Patriarch Bartholomew Foundation”, only the headlines appear, and no images.
I noticed that “Hotlink Protection” is not currently enabled either.
I thought that perhaps a Firewall Rule needed to be established on archons.org site to permit, but I’m uncertain how to establish this, if in fact this is the solution.
I am not a developer, so I am trying my best to get this rectified by opening a ticket on my own with hopes a solution can be proposed in the simplest terms I would be able to understand. Thank you everyone!
It is, but seems not to be at Cloudflare. On your backend, or other service behind Cloudflare there is a setting, that does prohibit the call to it’s pictures from another domains, or more specific if your referrer does not match “https://bartholomew.foundation”
Also Cloudflares cache at https://bartholomew.foundation is configured to bypass images.
Ok, I deactivated APO last night to see if this helped. I just re-enabled APO and can see “HIT”. I de-activated WP CF Super Cache. I can now see images appearing on members URL. However, I have not seen the images appear on archons site.
Due to cache issues, I am afraid it all can have some weird impact while using them in a combination. Just my opinion as far as users reported having some issues using multiple cache plugins (with or without APO) while using Cloudflare. So, if I may suggest please take it with a caution when troubleshooting the issue.
Basically, the features that those plugins offer, all of them Cloudflare has already implemented and Cloudflare can reduce the work at the origin server so no need to install and use all those plugins alongside it - but, only my opinion, again, cannot say it in general but rather from what I’ve seen from the other topics.
I remember I saw x-frame-options HTTP header, but unsure on which domain.
If that could have impact, as your plugin is using “RSS feed” to fetch the items and display them in a “carousel” style?
It would be good to “fetch and download” them to your server, somehow, and then display it from your server - if possible.
But, I am afraid that requires some programming work as I assume plugin does not offer that kind of displaying 3rd-party content from external domain that way.
The issue about the images is, I am afriad because:
If the plugin reads the feed:
As far as I see from the feed link you provided, the RSS feed item does not contain any images and media tag like:
Only I see it’s image added inside:
→ the <img> from the content could be, but unaware if the plugin actually recognized it fetched and outputted it correctly from the <content>?
He does own (or at least has access) to both sites. The problem is, I dont know where exactly it is implemented. Does not seem to come from Cloudflare, but from the origin or whatever is behind. But he will have to figure out where on his origin it is implemented. I guess it is related to a Plugin or maybe a local Varnish instance to cache things. maybe even .htaccess or Nginx config. But Referrer-Policy is “same-origin” like you just stated.
I thought maybe Varnish as he does have these additional headers:
Hopefully, no Firewall Events at Cloudflare dashboard so far for now being blocked or challenged on one or another domain due to, I assume WordPress/version_number for the user-agent and the HTTP/1.0 request being made from one website to another?
As both websites using Cloudflare …
@user20672 Can you check this?
Have you tried allowing IP of the server at a Firewall Rule on both domains in Cloudflare dashboard?
May I ask if you already written a ticket to Cloudflare Support due to this issue?
Another thinking related to how the plugin works.
If it does fetches each time the same amout of images for each time your visitor visits your homepage or hits refresh button, maybe Cloudflare is detecting it as a potential threat and therefore blocks itself out there? → which consumes a lot of resources if you have a lot of visitors (despite the images are not being cached by the stated HTTP headers?)
be it 500 pageviews on homepage per day, multiplied by 12 images, equals a lot of requests (6000) for which Cloudflare could understand it’s a bot trying to fetch the content and challenge/blocks it …
Right… I do not either. I just disabled Hummingbird temporarily to see if this fixes. Purged cache all around, and still nothing. Going to perform some plugin updates next and see if this helps anywhere. I’m afraid I do not know what “Varnish” is or does, so it is unlikely I have this enabled.
may I ask you for your origin IP? You don’t have to expose it, but if you do I could run some tests against your origin directly. Also: you can share it in a PM with me if you don’t want it to be available publicly.
I want to make sure, this 100% is not related to Cloudflare.