Unable to Perform Custom Purge on WordPress REST API URL

I’m using CloudFlare on a WordPress install (hosted w/ WPEngine).

Using a custom worker, I’m attempting to cache certain requests sent through to a series of custom endpoints set up using the WordPress REST API. These are GET requests and the response is JSON.

Cloudflare is properly caching the requests, however, I’m having issues w/ clearing them. A purge of everything works properly and I see the cf-cache-status header change as expected.

A custom purge using the request url (e.g. https://www.mysite.com/wp-json/some-endpoint/&url=some-encoded-value), however, does not work (custom purges to other non REST API URLs work as expected).

Specifically, it appears that ‘wp-json’ in the path is causing the issue. If I alter the path (e.g. wp_json), I’m able to perform a custom purge w/ the new altered url/cachekey.

I assumed maybe it was related to WAF, but nothing shows up in the logs and disabling the firewall completely (this is in a staging environment) does not fix the issue.

Any ideas?


Hi there,
So you mean that you’re able to purge this URL:
But not:
That seems odd. Can you confirm?

Hi @nicgayerie - yep, exactly. That’s what I’m seeing.

Have you blocked access to or added authorization to your REST API endpoints (like /wp-json/) via functions.php or any other plugin limiting your access due to the security concerns and possible sniffing the lists about the users and authors?

Hi @fritex - hmmm, we are using Wordfence which seems to limit access somewhat. Disabling the setting doesn’t seem to fix it and I don’t see any other options related the REST API.

I’m kind of thinking the same thing you are. Namely that somewhere this request is being restricted in some way. Just not sure where.

Not a big deal. I ended up modifying the request URL so that it doesn’t get filtered.

Free or Premium?
WordFence has an option to block REST API - which covers all the requests made to /wp-json/.

1 Like

Free. Let take another look and se if I missed it :slight_smile:

It’s in the Brute Force Protection → Additional Options section. I see it as available in my Wordfence Free plan.

Hey, @sdayman.

Are you referring to ‘Prevent discovery of usernames…’ or is there another setting?

I assumed the former just referred to the users endpoint vs. all of wp-json (disabling ‘Prevent…’ didn’t seem fix the issue).


That’s the closest thing I could find to @fritex’s response.

@marketing.operations I had to think a little bit more about it.

You cannot pass the request or you got the 404 error when trying to access that URL?

Have you recently updated your “Permalink” structure under the WordPress settings?
Try setting the permalink structure in the wordpress and also if needed changing the .htaccess to make permalink work correctly if not.
Moreover, if not, try to click on “Save” and see if you can access it again.

And if the wp-json endpoint is not being already blocked via security or firewall plugin.

Moreover, which WordPress version do you have?
The new REST API (wp-json) endpoint for Wordpress 4.7 is like example.com/index.php/wp-json/. It’s part of Wordpress Core as of 4.7 till newest one as far as I know (5.5.3 or 5.6 already).

Could WP Cloudflare Super Page Cache help wih it?
Disclamer: This is not an official plugin made by Cloudflare team.

Nevertheless, if we have “Cache Everything” enabled, should the cache work.
And then a Page Rule to … hm, which plugin do you use, if so, to purging cache at your end or you just want to achieve when you open the wanted URL which contains /wp-json/ with some parameter and value to trigger the Cloudflare API to purge the cache for something?

Yes WP Cloudflare Super Page cache will bypass the /wp-json endpoints whether you setup the plugin with the default page rule mode or enable the Worker mode inside the plugin settings (Cache Tab).