I have for a long time had issues with my WordPress site, that after some time as logged in, gives me 403 on /wp-json/wp/v2 … when I save draft, publish or updates an post using Gutenberg editor.
I can solve it by just loggin out and in again. But that will only work for some time, until I get 403 on /wp-json/wp/v2 again and once again needs to logout and login again.
As it seems, it’s due to the CF firewall causing this. I tested to disable the WAF completely and the problem dissapeared. Have tried to search for a solution, but none of them has helps out.
But adding a custom firewall rule like in the image seems to have solved it for me. But I’m not completely sure how safe this solution is? What I did was to create an firewall rule, where I bypassed the firewall if the uri path contains /wp-json/wp/v2.
Any thoughts on this? Good or bad practice? Do you perhaps have any other suggestions that could be better to try out?
May I ask do you get this error while being logged in or logged out into WordPress admin dashboard?
I usually restrict this manually in a functions.php file to specific routes and the ones which I need and which my plugins use (only /users/ when I am logged in).
Maybe you are using a security plugin like Wordfence?
Have you tried adding your server IP to the IP Access Rules / Firewall Rules with the action “Allow” at Cloudflare dashboard (requests to wp-cron.php as an example could also be blocked by a Bot Fight Mode, etc.)?
I am using Classic Editor. So I cannot say it’s related to it.
I also vote for this. You can check if your own IP gets blocked or the server’s IP, and determine wheater you have to adjust a bit your CF Firewall as @sdayman already stated.
I did not check in the firewall log. I found that this was happening in the developer tools. I’m on a pro plan, but can’ät find the logs in the dashboard? Or do I need an higher level of subsciptionplan?
For searching the problem, I made try this, try that, inactivate that to see when the problem stopped
I do wonder thoug what settings to adjust for WordPress. Could it be under this and just do an trial and error (activate/deactivete features until I find what’s causing it?
I tried to add the IP, but that did not make the trick unfortunately. In the developer tools console i did get “Failed to load resource: the server responded with a status of 403 ()” again.
I’m curious to know what the WordPress Block Editor is doing to trigger the Cloudflare Firewall. Firing off a huge amount of requests to the wp-json API maybe?
A logged in and verified user editing a post shouldn’t be blocked.
