Requests via the wordpress AP

Requests via the wordpress API from the url “/wp-json/wp/v2/” return the response

"<h1>Please wait while your request is being verified..."<!doctype html>
<meta charset="utf-8">
<meta name="robots" content="noindex, nofollow">
<title>One moment, please...</title>
body {
    background: #F6F7F8;
    color: #303131;
    font-family: sans-serif;
    margin-top: 45vh;
    text-align: center;
<h1>Please wait while your request is being verified...</h1>
<form id="wsidchk-form" style="display:none;" action="/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f" method="get">
<input type="hidden" id="wsidchk" name="wsidchk"/>
    var west=+((+!+[])+(+!+[]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+!![]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!+[]+!![])+(+!+[]+!![]+!![]+!![]+!![]+!![]+[])),
        x=function(){try{return !!window.addEventListener;}catch(e){return !!0;} },
        y=function(y,z){x() ? document.addEventListener("DOMContentLoaded",y,z) : document.attachEvent("onreadystatechange",y);};
        document.getElementById('wsidchk').value = west + east;
    }, false);

I’d suggest you to navigate to the Security tab → Events of Cloudflare dashboard and double-check for any events which would indicate the Surfer Plugin request are being challenged or blocked by some Cloudflare security setting or WAF.

It knows to happend that Security Level is set to high, or some Bot Fight Mode is blocking.

Otherwise, since you’ve mentioned REST API, I’d suspect the origin host/server IP address should be seen as blocked, therefrom possibly by the empty user-agent or some other thing which the stated plugin uses to execute the HTTP requests.

If you see these kind of events, could you share some details which service was triggered that blocked you?

  • you should see your origin host/server IP out there and user-agent like WP-cron or WordPress/version

Just in case if you encouter some issues and/or errors, since it’s related to the WordPress, I’d suggest you to allowlist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.

It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin which triggers the WAF rules (as it should normally).

Nevertheless, could be an Ajax request, then followed by Bot Fight Mode, Security Level, WAF Managed Rules or Browser Integrity Check service which was triggered.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.