WordPress REST 403

After activating Cloudflare on my WordPress site (hosted by wpengine), I can no longer update custom post types using the latest editor (Gutenberg).

WordPress relies on the REST API to update these, and Cloudflare routes these requests to a security check.

I’ve tried the following:

  • enabling development mode
  • purging the entire cache, purging the specific endpoints I’m trying to bypass
  • adding page rules to these endpoints (https://mydomain.com/wp-json/wp/v2/) that disable the security check, lower the security level to essentially none, disable apps
  • installing the cloudflare for wordpress plugin and using the recommended settings there

Any ideas on what I can do to use Cloudflare and still have access to updating my content?

Thanks.

Have you looked at the Firewall Events Log to see what’s blocking those requests? I also suggest you open up your browser’s Dev Tools (F12 on Chrome) to watch the Console and Network tabs for errors.

Thanks for the reply @sdayman.

There are no events in the Firewall Events Log.

The dev tools report what I shared above — a 403 error because instead of a valid JSON response WordPress expects, it’s receiving a security check from Cloudflare in response to a POST request:

How can I bypass this or configure my settings differently to avoid this?

I’ve even disabled Cloudflare (from the “Advanced Actions” section) on the site, and the request is still 403ing with this security check. It seems like the response to these endpoints are somehow still cached.

If you “Pause Cloudflare”, it takes 5 minutes to take effect.

Is your site in Under Attack Mode?

It is not in Under Attack Mode, and it’s close to an hour since I paused Cloudflare. Still receiving the 403.

Have tried from multiple browsers in case somehow the response is being cached, but the same result.

Would you mind sharing the domain name?

Sure thing.

Your site resolves to IP addresses assigned to WP Engine. It sure looks like WP Engine puts all customer sites on Cloudflare, so you most likely don’t have control over your settings. You’ll have to ask WP Engine how their Cloudflare integration works.

2 Likes

Thank you for the guidance @sdayman. Indeed I needed to reach out to WPEngine since it was one of their products (GES) catching this request and routing it through cloudflare.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.