WordPress REST API returns 403 Forbidden using firewall

I have a staging site, and made a firewall rule with expression:
(http.host eq “staging.example.com” and not ip.src in {})

The rule is used to block all traffics except from my IP, which is (example).
However, WordPress REST API returns Error 403 Forbidden when the rule is activated, and returns to normal when the rule is disabled.

Is it expected? Or does the rule need updating, like adding the origin’s or Cloudflare’s IPs? I have tried both, but to no avail.
Many thanks.

Have you tried using Zone Lockdown in the “Tools” section of the Firewall Tab?

Thanks for the help.
I took a look, but it’s only available for Pro users. I’m on the Free plan, unfortunately.

I’ve solved the issue by adding the origin’s IPv6 address to the rule.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.