Rank Math SEO Plugin doesn't save entries

Rank Math SEO Plugin doesn’t save entries due to the firewall blocking access to Rank Math’s files with a 401 unauthorized status code

For example, when we add the ‘Focus Keyword’ to https://rentaprestige.com.au/best-luxury-electric-car-rentals/ as ‘Best Luxury Electric Car Rentals In Australia’ then update the post, it returns as no ‘Focus Keyword’. In other words, the text we add to Rank Math SEO is not saved in the server when we click ‘Update’ the post.

We have let the Rank Math SEO team and our Hosting Team investigate, and they believe the error occurs from the Cloudflare end. They say

"There seems to be some firewall blocking access to Rank Math’s files with a 401 unauthorized status code.

You can look through your firewall logs and seeing if there are any blocked requests to these files:

/wp-json/rankmath/v1/updateMeta

/wp-json/rankmath/v1/updateSchemas

/wp-json/rankmath/v1/updateRedirection

/wp-json/rankmath/v1/getFeaturedImageId

/wp-json/rankmath/v1/getHead

If you see any blocked requests, you need to allowlist Rank Math and its files in your firewall or security settings. There’s a firewall blocking Rank Math’s updateMeta routes.

Ask them to allowlist the routes in the code block above."

Can you please guide us resolving this?

A 401 code doesn’t come from Cloudflare, it is your origin saying a resource that requires authentication was requested. You can see the 401 comes from your origin as the response has origin headers in it…

curl -I https://rentaprestige.com.au/wp-json/rankmath/v1/updateMeta?_locale=user
HTTP/2 401
date: Sun, 10 Dec 2023 11:42:01 GMT
content-type: application/json; charset=UTF-8
content-length: 131
x-powered-by: PHP/7.4.16
x-robots-tag: noindex
link: <https://rentaprestige.com.au/wp-json/>; rel="https://api.w.org/"
x-content-type-options: nosniff
access-control-expose-headers: X-WP-Total, X-WP-TotalPages, Link
access-control-allow-headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
vary: Origin,X-Forwarded-Proto
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aHfL4IjKFfGuKs55zq%2BDc70vN5HhN7ud%2BKtYiB5fAek4Ws%2B7tWsv145%2BW8fnj1X7oiBb3TxIlTAScCy2%2FrZpoENZAwyOhu0SzYH7CBkp9e1GL2Xjq7dERd3GllOz1VSBFDuH%2BCVgsQ%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 833538cd5ab5dd60-LHR
alt-svc: h3=":443"; ma=86400

If your origin is configured to allow access to the resource bypassing the login, say by IP address, then ensure you have configured to restore original visitor IPs…

2 Likes

Thank you for the response. I will get back to you if further input is required.

Hi again,

We have dug into the matter with the support of all the teams involved, including you, and run many tests, and below is what we learnt so far.

  1. According to the Rank Math SEO Team, the firewall blocks access to Rank Math’s files with a 401 unauthorized status code.
  2. According to Cloudflare/You, the 401 code doesn’t come from Cloudflare.
  3. According to the Hosting Team, there is no issue on the server side.
  4. We also tried different computers and browsers without luck. Our publishers from overseas experience the same problem; hence, this can not be a computer or browser issue.
  5. We created a staging site without Cloudflare, and the staging site works well without the above Rank Math ‘Focus Keyword’ malfunction.
  6. Yesterday, we redirected DNS nameservers to our Host (without routing through Cloudflare), and guess what, the malfunction disappeared from the site.

So, I am back with you, seeking your help to see how you can guide us further.

Thanks for the ongoing support.

You’d best check back with them, because it’s most definitely coming from your server (assuming your server’s IP address starts with 34.226.)

 % curl -sv "https://rentaprestige.com.au/wp-json/rankmath/v1/updateMeta?_locale=user" --connect-to ::34.226.xxx.xxx
* Connecting to hostname: 34.226.xxx.xxx
*   Trying 34.226.xxx.xxx:443...
* Connected to 34.226.xxx.xxx (34.226.xxx.xxx port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=rentaprestige.com.au
*  start date: Dec 10 11:52:23 2023 GMT
*  expire date: Mar  9 11:52:22 2024 GMT
*  subjectAltName: host "rentaprestige.com.au" matched cert's "rentaprestige.com.au"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/1.x
> GET /wp-json/rankmath/v1/updateMeta?_locale=user HTTP/1.1
> Host: rentaprestige.com.au
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 13 Dec 2023 04:23:24 GMT
< Server: Apache/2.4.37 (Debian)
< X-Powered-By: PHP/7.4.16
< X-Robots-Tag: noindex
< Link: <https://rentaprestige.com.au/wp-json/>; rel="https://api.w.org/"
< X-Content-Type-Options: nosniff
< Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
< Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
< Vary: Origin
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=UTF-8
< 
* Connection #0 to host 34.226.xxx.xxx left intact
{"code":"rest_authentication_error","message":"Sorry, you do not have permission to make REST API requests.","data":{"status":401}}%     

The Hosting/Server Team wants to know the below from you please, so your response is helpful in coming up with a solution.

“Could you please let us know the exact server-side requirement they are suggesting correcting your issue?”

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

The following thread was prematurely closed without a helpful answer to resolve the matter, so I had to repost it here.

“Could you please let us know the exact server-side requirement you are suggesting to correct the issue?”

That would be something for the server admin to figure out by reviewing their logs. The error is occurring on the server.

1 Like

The Server Admin provided the following response to you. Please help us resolve it.

"Our server does not respond with a 401 when the request does not go through cloudflare; therefore this proves that cloudflare is manipulating/malforming the request in a way that is causing our server to respond with a 401. The fact that our server is responding with a 401 is not in dispute, but the evidence proves that cloudflare is at fault for triggering that 401 from our server. Cloudflare should be able to determine what it is doing to modify the request from what is normally sent to our server when the request is not proxied through cloudflare.

The following response:

“{“code”:“rest_authentication_error”,“message”:“Sorry, you do not have permission to make REST API requests.”,“data”:{“status”:401}}%”

is generated directly by wordpress, so whatever cloudflare is doing, the wordpress software does not like it. I imagine that cloudflare is somehow manipulating the wordpress admin session in a way that wordpress disapproves of, but the incompatibility between cloudflare and wordpress is something for either cloudflare or wordpress support to figure out. This issue is not present without cloudflare’s interference in the matter."

@sdayman showed it does here

…and at this very moment, your site isn’t proxied by Cloudflare (and isn’t even using Cloudflare’s nameservers)…
https://cf.sjr.org.uk/tools/check?76223e12be4e49efb650fa85d85cd774

…so this request is going direct to your origin server, it is not passing through Cloudflare at all, and there is a 401…

curl -I https://rentaprestige.com.au/wp-json/rankmath/v1/updateMeta?_locale=user
HTTP/1.1 401 Unauthorized
Date: Fri, 22 Dec 2023 11:08:30 GMT
Server: Apache/2.4.37 (Debian)
X-Powered-By: PHP/7.4.16
X-Robots-Tag: noindex
Link: <https://rentaprestige.com.au/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Content-Type: application/json; charset=UTF-8

As in my original post, my guess is this link requires specific source IP address(es) to access it which is why the above request was blocked.

If that is the case, then, as I said originally, you need will to restore visitor IPs on the server so the Cloudflare proxy can tell the webserver the IP address of the client and your server isn’t blocking it because it sees the Cloudflare IP address of the proxy server.

1 Like

Please note that we had to redirect the nameservers to the original server (not proxied through Cloudflare), and that resolved the RankMath SEO issue in discussion here. However, if you would like us to revert it back through Cloudflare for testing purposes, we are happy to do so, bearing in mind the issue affects the functionality of the site.

The Server Admin provided the following response to you. Please help us resolve it.

“Why is Cloudflare sending a “CURL” request to an authenticated section of your website? What the person at Cloudflare is doing is nonesensical. Of course any CURL request will get a 401 response from wordpress because the URL:

h ttps://rentaprestige.com.au/wp-json/rankmath/v1/updateMeta?_locale=user

is meant only to be accessed from a logged in session from the wordpress dashboard. The CURL request they are sending is not being sent with a logged in session, that is why it is returning a 401.

Again, the issue is between Cloudflare and Wordpress and has nothing to do with our server. The “Rank Math SEO” were correct to blame a firewall. That firewall was Cloudflare. When the Cloudflare firewall was taken down, your admin backend began to work. It is a complete mystery why Cloudflare would keep sending pointless CURL requests at this URL as this proves nothing.

Again, it is readily apparent that the cloudflare firewall/proxy is interfering with admin login sessions in a way that causes this particular “Rank Math SEO” rest API request to fail. The request has to be sent with the correct session information because it is a protected section of your site. The Rank Math SEO plugin is making the determination that requests through the cloudflare firewall/proxy are not properly authenticated and is responding with a 401. According to the Rank Math SEO developer, this appears to be due to a “Firewall”. It is perfectly clear that this “Firewall” is Cloudflare.

As far as the comment by Cloudflare goes regarding their proxy hiding the client IP, ie. “my guess is this link requires specific source IP address(es) to access it which is why the above request was blocked.” This assertion that the Rank Math SEO plugin is blocking the request due to the Cloudflare IP seems doubtful to me, but there is a possibility and the Rank Math SEO people would have to be questioned on whether that could be the case. It is true that all requests to your site will show as coming from the cloudflare IP when you position your server behind the Cloudflare firewall/proxy. Ideally, our server would be able to show the real client IP to wordpress and I’m sure cloudflare passes the real client IP through in a header that could be parsed, but it isn’t as simple as just parsing the IP and replacing Cloudflare’s IP as doing so would present a security risk due to the possibility of clients who access the server directly (such as a malicious botnet) being able to then cloak/fake their IP using the same header. In order for our server to parse such headers in a safe manner, we need to be sure the requests are coming from cloudflare, and so we would need a list of trusted IPs from cloudflare. That said, implementing this may not solve the 401 issue, as it is yet not completely clear why Rank Math SEO does not like requests coming from cloudflare.”