Firewall blocking legitimate activity on Wordpress backend by wp-json

hello, I was looking at multiple blocks in the Firewall log and saw that Cloudflare is blocking legitimate activity on the Wordpress backend (how do I know this? it’s my IP in logs!).
I saw that blocking happens when I do something in wp-admin that makes a call to the Wordpress API: WP-JSON.
As I’m using Cloudflare default rules, I thought it was pertinent to communicate this.

Security Level: High
OWASP ModSecurity Core Rule Set Sensitivity: High
Action: Challenge


  "action": "block",
  "clientASNDescription": "TELEFONICA BRASIL S.A",
  "clientAsn": "18881",
  "clientCountryName": "BR",
  "clientIP": "2404:1a0:1401:ed27:11fd:d725:6410:51c",
  "clientRequestHTTPHost": "",
  "clientRequestHTTPMethodName": "POST",
  "clientRequestHTTPProtocol": "HTTP/3",
  "clientRequestPath": "/wp-json/wp/v2/widget-types/custom_html/encode",
  "clientRequestQuery": "?_locale=user",
  "datetime": "2021-10-16T11:54:15Z",
  "rayName": "69f117666bf6f207",
  "ruleId": "100173",
  "rulesetId": "",
  "source": "waf",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0",
  "matchIndex": 0,
  "metadata": [
      "key": "group",
      "value": "cloudflare_specials"
      "key": "rule_message",
      "value": "XSS, HTML Injection - Script Tag"
  "sampleInterval": 1

Which version of WAF you are running? Can you post a screenshot of your WAF configuration page?

I do not know where to look the WAF version. A gif of the screen follows

Yep, the one you are showing is the old WAF.

What you can do is to create a new firewall rule that matches the wp-json traffic (more precisely, you can also check whether Cookie contains “wordpress_sec” and the request method is POST), then set the action to Bypass - WAF Managed Rules.

1 Like

Ok, thank you! But how do I update to the “new WAF”? I have cloudflare pro

I believe they are rolling out to customers in batches, but it would be better if someone at Cloudflare can explain the current situation of rolling out the new WAF as this was already started since May if I’m not mistaken.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.