Something is preventing us from making updates to a plugin called RankMath on opiates.com. Their support has done internal testing to determine that the issue is happening on Cloudflare’s end. We have completed the following steps: Turn on log retention, and provide Cloudflare with a HAR file and ray ID: Gathering information for troubleshooting sites · Cloudflare Support docsEnabling log retention · Cloudflare Logs docs Configure a skip rule security > firewall > waf > custom rules > create custom rule. Expression: Path in question and any other required parameters. Configure you would skip all remaining WAF features and run first. However, when we update the Meta data in the rankmath plugin, upon publishing it reverts back to the previous version. We have been dealing with the issue for over a month now.
What steps have you taken to resolve the issue?
We have completed the following steps: Turn on log retention, and provide Cloudflare with a HAR file and ray ID:
Configure a skip rule security > firewall > waf > custom rules > create custom rule.
Expression: Path in question and any other required parameters. Configure you would skip all remaining WAF features and run first. However, when we update the Meta data in the rankmath plugin, upon publishing it reverts back to the previous version.
What feature, service or problem is this related to?
May I ask if you’re using Free or a paid plan type?
I’d suggest you, if not already, Allowlist your server IPv4 and IPv6 (or one if not using both) address by adding it into the the WAF → Tools → IP Access Rules with the action “allow” for your Website.
You should be able to see the challenged or blocked event under the Security tab → Events at Cloudflare dashboard for your zone and know exactly which security option was triggered.
Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?
It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin which triggers the WAF rules (as it should normally).
If the requests is coming from the server itself, the Custom WAF Rule/Firewall Rule might not apply and work if wp-cron.php request triggered the Managed Rules, for which you cannot add an Exception except you’re not on at least a Pro plan type.
Thank you so much. It’s paid subscription. I appreciate the time you took to review my question and respond. Will have our admin take a further look at your advice. Thank you again!
