Please note that we had to redirect the nameservers to the original server (not proxied through Cloudflare), and that resolved the RankMath SEO issue in discussion here. However, if you would like us to revert it back through Cloudflare for testing purposes, we are happy to do so, bearing in mind the issue affects the functionality of the site.
The Server Admin provided the following response to you. Please help us resolve it.
“Why is Cloudflare sending a “CURL” request to an authenticated section of your website? What the person at Cloudflare is doing is nonesensical. Of course any CURL request will get a 401 response from wordpress because the URL:
is meant only to be accessed from a logged in session from the wordpress dashboard. The CURL request they are sending is not being sent with a logged in session, that is why it is returning a 401.
Again, the issue is between Cloudflare and Wordpress and has nothing to do with our server. The “Rank Math SEO” were correct to blame a firewall. That firewall was Cloudflare. When the Cloudflare firewall was taken down, your admin backend began to work. It is a complete mystery why Cloudflare would keep sending pointless CURL requests at this URL as this proves nothing.
Again, it is readily apparent that the cloudflare firewall/proxy is interfering with admin login sessions in a way that causes this particular “Rank Math SEO” rest API request to fail. The request has to be sent with the correct session information because it is a protected section of your site. The Rank Math SEO plugin is making the determination that requests through the cloudflare firewall/proxy are not properly authenticated and is responding with a 401. According to the Rank Math SEO developer, this appears to be due to a “Firewall”. It is perfectly clear that this “Firewall” is Cloudflare.
As far as the comment by Cloudflare goes regarding their proxy hiding the client IP, ie. “my guess is this link requires specific source IP address(es) to access it which is why the above request was blocked.” This assertion that the Rank Math SEO plugin is blocking the request due to the Cloudflare IP seems doubtful to me, but there is a possibility and the Rank Math SEO people would have to be questioned on whether that could be the case. It is true that all requests to your site will show as coming from the cloudflare IP when you position your server behind the Cloudflare firewall/proxy. Ideally, our server would be able to show the real client IP to wordpress and I’m sure cloudflare passes the real client IP through in a header that could be parsed, but it isn’t as simple as just parsing the IP and replacing Cloudflare’s IP as doing so would present a security risk due to the possibility of clients who access the server directly (such as a malicious botnet) being able to then cloak/fake their IP using the same header. In order for our server to parse such headers in a safe manner, we need to be sure the requests are coming from cloudflare, and so we would need a list of trusted IPs from cloudflare. That said, implementing this may not solve the 401 issue, as it is yet not completely clear why Rank Math SEO does not like requests coming from cloudflare.”