REST API and Loopback Requests Blocked (403 Forbidden)
What is the issue you’re encountering
I am experiencing issues with my WordPress website when using Cloudflare. REST API requests and loopback requests are blocked with a 403 Forbidden response, causing issues with scheduled tasks and other critical functionalities.
What steps have you taken to resolve the issue?
Subject: Urgent: REST API and Loopback Requests Blocked (403 Forbidden) by Cloudflare
Dear Cloudflare Support,
I am experiencing issues with my WordPress website when using Cloudflare. REST API requests and loopback requests are blocked with a 403 Forbidden response, causing issues with scheduled tasks and other critical functionalities.
HTTP response code: 403
wp-cron.php request fails under Cloudflare but works when Cloudflare is disabled.
bash
curl -I https://domain.com/wp-cron.php
HTTP/2 200
This confirms that Cloudflare is blocking the requests.
Troubleshooting Steps Taken:
I have tried the following solutions, but the issue persists:
Disabled WAF rules that could block REST API requests.
Allowed REST API endpoints (/wp-json/) in Firewall Rules.
Disabled Bot Fight Mode and ensured that Rate Limiting is not affecting the requests.
allowlisted my server’s IP in IP Access Rules.
Temporarily disabled Browser Integrity Check, but the problem remains.
Set Challenge Passage to a longer duration, yet the issue persists.
Checked SSL settings, and I am using Full (Strict) with a valid SSL certificate.
Enabled Development Mode to bypass caching and security rules, but no success.
Completely disabled Cloudflare, and the issue disappeared.
Request for Assistance:
Since the issue is directly related to Cloudflare, can you check if any Cloudflare security settings are blocking wp-cron.php, REST API, and loopback requests? If there are any recommended adjustments, please let me know.
Your assistance is greatly appreciated. Thank you in advance!
I have created Firewall Rules and Page Rules to allow wp-cron.php, but the issue is still persisting. Cloudflare is still blocking REST API requests and Loopback Requests, resulting in a 403 Forbidden error.
It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin which triggers the WAF rules (as it should normally).
Can you use the search filter on the “Firewall Events” page, to locate the information for this specific this Ray ID, and then expand the view of the item?
After reviewing the content of the file, here are some important observations:
All requests to wp-cron.php are skipped due to a custom firewall rule:
It appears that the applied rule is functioning correctly and allowing these requests (action: “skip”).
The skipped requests have a specific ruleId: “c861c4c0ca6b4fce822eab261de3fe7c”.
All requests come from the same service provider (HETZNER-AS) and IP address (116.203.134.67):
This indicates that all wp-cron.php operations are originating from the same source, which could suggest that the blocking is coming from a source other than Cloudflare.
There are no blocks or challenges on wp-cron.php:
There is no behavior indicating that Cloudflare is still blocking wp-cron.php.
This suggests that Cloudflare might be involved in the issue when active, but disabling it allows the request to proceed successfully with a HTTP/2 200 response…
Is there support available that can access my account and check the issue?**
It may be worth contacting support to see if they can investigate the problem further by accessing your account.
May I ask if you see the server IP or Cloudflare IPs in your web server log files?
If the requests is coming from the server itself, the Custom WAF Rule/Firewall Rule might not apply and work if wp-cron.php request triggered the Managed Rules, for which you cannot add an Exception except you’re not on at least a Pro plan type.
Any security plugins running for your WordPress instasnce?
Otherwise, Imunify360 or some other firewall running?
