Didn’t knew they rebranded in the meantime. Seems like I didn’t used it for a long time already
Furthermore, I’d temporary use the “Pause Cloudflare for this Site” option at the bottom right corner of the Cloudflare Dashboard → Overview tab.
Wait for few minutes.
Make sure your Website works over HTTPS as expected.
Therefrom, once you go back to the WP Admin dashboard, navigate to "Security > Settings > Configure. Scroll down to the IP Detection section and select “Manual” for PROXY DETECTION and then select CF-Connecting-IP for PROXY HEADER.
Then click on the Save button.
After that, I’d Unpause the Cloudflare and wait for few minutes.
Later on, I would navigate to the Cloudflare dashboard → Security tab → Events and load the las hour or less if available (30 minutes).
I’d try to change settings on the SolidWP security plugins.
Therefrom, if it happens multiple times the changes aren’t being saved, it could be that the SolidWP plugin requests are somehow challenged or blocked by some of the Cloudflare’s security & protection mode.
Once you find them, click on a particular one to find more details about it (user-agent, IP, HTTP version …). If yes, could you share some details which service was triggered that blocked you?
you should see your origin host/server IP out there and user-agent like WP-cron or WordPress/version
It knows to happen due to the WordPress using HTTP/1.0 and empty user-agent, therefore while executing WP-Cron or some other related JSON/REST API request via plugin which triggers the WAF rules (as it should normally).
Otherwise, you could try to disable the Rocket Loader and/or Auto Minify (HTML, CSS, JS) which could somehow have an impact, if so, but I doubt (should be rather some cache).
Rather, could be Ajax then and some Bot Fight Mode or Browser Integrity Check or JS minimization.
Thanks for all the ideas, here’s what i tested today:
CF-Proxy detection change - no change
Rocket loader OFF - no change
Auto Minify - all OFF + rocket OFF - no change
I went to the security dashboard of CF for last 30 minutes and there’s nothing, this is while poking with changes so should’ve triggered something if there was otherwise, right?
If i do change a setting, click save, then refresh (with CF on) then the setting doesn’t show it’s saved. BUT, if i then disable CF, go back to the admin and check the settings (without changing anything), i can see the setting was changed with my selection i did earlier in the first place!
It’s as-if changes are occurring but they’re not visualised on the dashboard, i think there’s some caching from the CF side that’s now showing on the WP dashboard, but effectively, i think settings are saved anyway, it’s just very odd.
Anyhow, if everything works, i can just do my settings with CF disabled, (if i want to change anything at any time), then put it back on and that should be it.
Sounds like either a JSON issue, maybe the HTTP headers not alligned ( GET, POST, PUT, PATCH, DELETE, and OPTIONS) via the theme?; or some other settings?.
Or the cache
Kindly, may I ask you to check out what option have you got selected by navigating to the Cloudflare dashboard → Caching → Configuration → find section “Browser Cache TTL” and make sure the selected option from the dropdown menu is “Respect Existing Headers”.
Furthermore, from the same menu, click on the blue button saying “Purge Everything” to flush the cache at Cloudflare Edge, just in case.
Wait for a minute or two.
Refresh a page in your Web browser
Otherwise, if your website does work over HTTPS without Cloudflare (Pausing Cloudflare for example), therefrom checking if HTTPS is okay and SSL is valid, if yes, then unpause and making sure it’s Full (Strict) SSL at the SSL/TLS tab of Cloudflare dashboard.
Nevertheless, assuming the permalinks are also HTTPS.
Wonder if you did you encountered some error in the Developer Tools (F12) → Console of your Web browser while trying to change the settings or save them?
I forgot to ask, are you using a free or a paid version of the Solid Security?
We could also try to find or ask a question on the WP repo of this plugin, if so:
It’s weekend, I’ll give it a shoot and see if I could reproduce this on some of my WordPress instances running behind Cloudflare too.
I was going to answer you all the steps you asked me again, but then i had a light bulb moment i’ve found the issue
So i have a 2nd site and it’s also on CF and i just checked and compared all settings with mine, a part from a few different ones, this is what made the difference:
Rules → Page Rules:
Cache Level: Cache Everything, Edge Cache TTL: a month
My 2nd site didn’t have any page rules, when i created all the rules in the same way my other site had it, it also stopped saving settings on Solid Security. Removed the last page rule (Edge Cache TTL a month) and voilà it works.
However, generally speaking I like that rule as it forces the cache to stay the same, is that right? My site doesn’t change that often so it’s ok, i don’t mind so it’s always super fast.
Argh, this is such a challenge, still not working, i just reversed the order of the rules like you said, and also put first the wp-admin one - still not saving, as long as the Cache Everything is there, that’s like a nuclear option i guess
I’d prefer some origin HTML cache (WP Super Cache or W3 Total Cache with disk cache for HTML) and leave Cloudflare “as-is” since it’ll cache the images and other stuff.
As if you have Cache Everything, it’ll cache the logged-in and non-loggedin version, might end-up for a normal visitor to see the “admin bar” at the top while it shouldn’ see it at all and vice-versa issues.
Which is why I asked.
Otherwise, Cloudflare APO for WordPress does all the job it’s needed
Your IP could be the issue, or your Security Settings are set to high?
A rule of a thumb for my WordPress sites is to keep it at Medium.