Form Submission Won't Go Through When CF is Enabled

Hello,

I have a form submission on my site using request method: POST requesting /wp-admin/admin-ajax.php.

I’ve noticed when enabling Cloudflare the form submission doesn’t go through. Yet when disabling Cloudflare it does go through and the entry is logged in the site’s database properly.

I’ve applied a firewall exception rule for /wp-admin/admin-ajax.php as Bypass for all applicable selections (using free plan):

(http.request.method eq “POST” and http.request.uri.path eq “/wp-admin/admin-ajax.php”)

The exception shows the /wp-admin/admin-ajax.php rule is being bypassed on the firewall logs, but the form still is returning error response when trying to submit.

{“success”:false,“data”:{“message”:“There was a problem. Please try again later.”}}

The Request chain is:

https://domain.com/activity/
https://domain.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0
https://domain.com/wp-admin/admin-ajax.php

The /wp-admin/admin-ajax.php status code is 200.

I am at a loss as to why the only way I can seem to get the form to submit properly is to disable/pause Cloudflare entirely. Development mode or removing proxies doesn’t help. No caching plugin on website.

Does anyone know how to fix this? Or whether it’s occurring from the “Managed Rules”, which seem to be off limits from modifying/viewing if you’re on a free plan.

Greetings,

Thank you for asking.

I remember this comes up on topics lately much more than ever before and I am sorry to hear that you’re experiencing this.

Before moving to Cloudflare, was your Website working over HTTPS connection?

I wonder if any of Cloudflare security & protection settings like Bot Fight Mode or Browser Integrity Check challenged or blocked the request :thinking:

Kindly you check and provide some more details about which service did it trigger and got that result in the Cloudflare dashboard → Security → Overview for the past 24hours or so. Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …).

Nevertheless, I am not sure if that request to the admin-ajax.php was made via WordPress itself or via some plugin?

Development mode, however If you temporary enable the “Pause Cloudflare for this site” option from the CF dashboard bottom-right corner, does it work then or still shows the same warning/error?
Does your Website work fine over HTTPS when Paused?

Just in case, related to the WordPress, I’d suggest you to whitelist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.

It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin.

Regarding the option to add an exception on a Free zone for “Free Managed Rules”, kindly see my post here and interlinked one with more information:

Last response from Cloudflare support which I’ve got was as follows:

As an update, our engineering team is looking to rollout the WAF for everyone in Q4 this year. This would allow the free tier users to make use of the override feature in our WAF ruleset to bypass the rules.
Source post: Triggering of cloudflare protection on subdomain - #4 by fritex

Hi Fritex,

Thanks for responding.

Yes, the site was working over HTTPS prior to using Cloudflare. Now at Cloudflare I’ve set it to Full (Strict).

Under Security->Bots I have not enabled bot fight mode.

The firewall logs do not show the form submission triggering any services. No logs are actually created by Cloudflare when the form doesn’t submit properly.

It is only when I specifically make a rule for /wp-admin/admin-ajax.php do I see the log showing, in this case, that it is bypassed, as I specified in the rule.

The form submission is part of a plugin. Other parts of site that utilize admin-ajax.php appear to work fine.

If I “Pause Cloudflare for this site” that seems to be the only way for the form submission to work/submit properly. And yes, the site works fine over https when Cloudflare is paused.

I had already whitelisted my servers IP in the way you mentioned before. It doesn’t seem to make any difference for the form submission problem.

1 Like

Hi Fritex,

Thanks for responding.

Yes, the site was working over HTTPS before Cloudflare. Now with Cloudflare I have it set to Full (strict).

Under Security->Bots the bot fight mode is not enabled.

Cloudflare isn’t triggering any services when the form submission doesn’t work. No logs are being created by Cloudflare when the form submission doesn’t work.

It is when I set a rule to bypass /wp-admin/wp-ajax.php does Cloudflare show a log entry for that request, in this case, as being bypassed.

The submission form is part of a plugin. Other parts of the site that utilize wp-admin/wp-ajax.php appear to be working properly.

If I “Pause Cloudflare for this site” that seems to be the only way for the form submission to submit/work properly. And yes, the site works fine over HTTPS when Cloudflare is paused.

I had already done this prior to the form submission issue. Unfortunately, it didn’t make a difference here.

Thank you for feedback information.

Furthermore, I wonder if the plugin is using some kind of a JS code as it implements Ajax :thinking: Maybe the script code is in some kind of a conflict with the the Cloudflare’s Rocket loader feature or Auto Minify options at Cloudflare dashboard?

Nevertheless, I wonder how the WordPress is configured to sent out an e-mail (I guess?) when the form is submitted, and if the request uses your SMTP (unproxied hostname like mail.example.com) with correct credentials for your domain name.

In a case if you’re using some 3rd-party plugin, maybe their IPs might need to be whitelisted too? I just wonder.

Otherwise, I am kind of hard a bit to figure it out.

May I ask if some kind of the the plugin is being used to build the form, and then used to submit it further?

That’s the output from the Developer Console, correct?

May I ask if you’ve tried using some other form plugin if the effect and end result is the same?

Or this form is manually build/codded by you or some other web developer?

Thanks again for the response.

Yes, the plugin does have some js files. Although I do have Rocket loader and Auto Minify disabled. I don’t know if pastebin is allowed here, but here are the 3 js files for plugin under Sources in development tools: https://pastebin.com/2bEvxuHM

I don’t have SMTP setup properly yet. Using a VPS, WHM/cpanel creates a mail account and then Wordpress handles it in the default way (php mail function). Cloudflare MX record is unproxied with just my root domain (mydomain.com) as entry for name and mail server field.

The way the form submission seems to work is that it adds the message to the database under a specific table as entry, then in the admin panel there is a section to review the message. It acts as a user report feature for abusive content. It can send an email notifying the admin of a report occurring though.

I am not sure if it is connecting anywhere but internally. The form class is method=“post” action=“”>

The one plugin is responsible for the form submission, although it is a plugin made to work with/for BuddyPress.

Yes, in developer tools>Network tab, it’s the response shown for the admin-ajax.php request from the plugin.

It some seem other forms using POST method on website from other plugins are working.

1 Like

Thanks for feedback.

Just for the reference and double-check, usually, the MX record should point to a hostname such as mail, and the A (or CNAME ) type record for that hostname mail should be set to :grey: (DNS Only) at the DNS tab of Cloudflare dashboard.

Furthermore, in your email client or web application (WordPress), you should use mail.domain.com for POP3/IMAP/SMTP.

Kindly, I’d suggest you to download and install below plugin as far as it works perfectly for WordPress, just configure it to use your e-mail account with the credentials:

Tick the checkboxes the “Force name” and “Force email” → How to Set Up the Other SMTP Mailer in WP Mail SMTP .

Interesting.
I am using Contact Forms 7 or WPForms, or rather some my own code for a contact form without a plugin and works okay :thinking:

May I just ask if there is some kind of a HTTP header like “Access-Control-Allow-Origin” being present?

Furthermore, the request Content-Type is correctly set to “application/json”?

May I ask if it is a free or paid one?
Can you share a link to it maybe so I could test this out too and try to replicate the same issue on one of my WP websites?

Thanks for the response again.

Ok, thanks for information. I will use this as reference when I set up SMTP. The MX records were what Cloudflare assigned when I scanned for DNS. Though I assume this isn’t related to the form submission issue?

Yes, there is. See below, I will add some more details/most of them from the HTTP header, in case it helps:

Request header, content-type, looks like it’s: application/x-www-form-urlencoded; charset=UTF-8

///General
Request URL: https://mydomain.com/wp-admin/admin-ajax.php
Request Method: POST
Status Code: 200
Referrer Policy: strict-origin-when-cross-origin

///Response Headers
access-control-allow-credentials: true
access-control-allow-origin: https://mydomain.com
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cache-control: no-cache, must-revalidate, max-age=0
cf-cache-status: DYNAMIC
content-encoding: gzip
content-length: 96
content-type: application/json; charset=UTF-8
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
referrer policy: strict-origin-when-cross-origin
server: cloudflare
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-robots-tag: noindex
x-turbbo-charged-by: Litespeed

///Request Headers
:authority: mydomain.com
:method: POST
:path: /wp-admin/admin-ajax.php
:scheme: https
accept: application/json, text/javascript, */*; q=0.01
accept-encoding: gzip, deflate, br
content-length: 183
content-type: application/x-www-form-urlencoded; charset=UTF-8
origin: https://mydomain.com
referer: https://mydomain.com/activity/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
x-requested-with: XMLHttpRequest

It is a paid plugin from BuddyDev: https://buddydev.com/plugins/buddypress-moderation-tools/

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.