I’ve tried a number of different WAF rule configurations, from least specific to most specific, and there is no change.
(http.request.uri contains "/wp-json/*" and http.cookie contains "wordpress_sec" and http.request.method eq "POST")
I’ve set that to BYPASS WAF Managed Rules, to no effect. If I change the cookie to “wordpress”, or remove it altogether, it still blocks requests. Likewise with the http.request.method. Even if I remove that completely and just check based on uri, traffic is still blocked.
I opened a ticket, but it doesn’t seem that anybody is looking at it.
I also set a page rule to bypass caching and disable performance for /wp-json/* urls. No dice.
My company has quite a few WP sites under our care which do not suffer similar issues, but the differentiating factor here is possibly Azure. Either way, I’m out of ideas.
Can anybody point me in the right direction?