WordPress REST API and Cloudflare WAF Issues

Update failed – not an error you want to see when creating content in WordPress.
API connection error when saving – again, not something you want to see.
Both are caused by an issue with the WordPress REST API sending false hack attempt flags to a WAF (Web Application Firewall) like the one in the Cloudflare Pro plan.
See what’s going on and tips for temporarily fixing the issue.
A Better Way to Connect
Two years ago WordPress began rolling into the core a new way for developers to connect your site to 3rd party sites and applications.
It’s called the REST API.
It’s an encrypted connection, which is way better for security than the old way of using XML-RPC, which is still a hacker’s favorite way to do a brute force attack on your site.
It’s one of the things I turn off in fixes after a site audit.
READ: Disable XML-RPC in WordPress to Prevent a DDoS Attack for more.
The REST API is also way less resource intensive than using admin-ajax, which is the current most popular way to connect your site to the outside world, including to you when you’re logged in.
Setting Off WAF Alarms
As more plugin developers, and even WordPress itself, begin to connect functions to the REST API endpoints, new issues are cropping up all over the place in GitHub support threads.
Some events are setting off alarms with WAFs (Web Application Firewalls) that are found in the Pro Plan version of Cloudflare and other security plugins and services.
The WAF thinks something malicious is being sent to the site.
Specifically, the OWASP settings are what are being triggered for things like XSS (Cross Site Scripting) and SQL injections (to your database).
These are the 2 most common vulnerabilities in plugins and WP itself and we need this extra protection to tide us over from hack attempts until a patch for the plugin or WP become available.
Gutenberg Has Issues
I ran into the Update Failed issue while creating my Gutenberg course.
I couldn’t save as draft or publish when I uploaded an image to a page.
It issued an Update failed error message at the top of the editor.
All worked fine when uploading an image to a post, just not for a page, including trying to embed an image that had already been uploaded and successfully embedded on a post.
So, something in the way WordPress processed the request for a page was different.
And the WAF I have on the paid version of Cloudflare wouldn’t let WP save the image I had uploaded from my computer be saved to the site.
The Temporary Local Fixes
I had to whitelist my home office IP address in the Cloudflare IP firewall.
It worked, but that fix has limitations.
It won’t work from any other IP.
My desktop is hard wired to my internet router and it has a stable IP address, which is the one I whitelisted.
But, some routers rotate the IP for the wifi signal they emit.
So, even though I’m still working from home, if I want to log into my site from my iPad or laptop, it may have a different IP address.
That’s not a huge issue, as I can still do most site functions. I just can’t save an image to a page.
Ludicrous, right?
Whitelist Your Home IP
READ: How to Find and Whitelist Your IP Address in Cloudflare to try this fix.
Take note of the disclaimer to do this at your own discretion. Running end around your site security does have risks, but this is the lowest one I know.
Browser Differences
I have also heard that some folks get things to work by using the Chrome browser instead of Firefox.
But, I’ve also heard that doesn’t make a difference.
So, I can’t say at this time if the issue may be the header the browser is sending to the site or not, as I have not confirmed the various versions of browsers folks may be using.
Plugin Connection Issues
The whole point of the REST API is to give plugin developers a way to securely connect your site to additional functions they provide from their servers.
I’ve had to whitelist the following popular plugins/services to get them around the REST API connection issue:
- VaultPress
- WP Rocket
- Create – by Mediavine
Check with your plugin/service provider for their recommendations for whitelisting.
And be insanely careful about any suggestion to put in page rules that knock out your entire WAF!
The only relatively safe ways to whitelist is your own IP address, the IP of the service, and extra firewall rules that are specific to the plugin/service.
Make these changes at your own discretion, as there are risks to whitelisting anything.
Permanent Fixes
It is far from desirable to have to whitelist any outside service provider.
If they get hacked, we get hacked because we’ve granted them an unchecked, open door policy to our site.
The WP devs have been made aware of these issues.
Following is one of the WP GitHub threads I found where this is being discussed, and a thread where they are collecting known issues.
(GitHub is where the devs hang out and make their code available for testing and feedback prior to public release.)
From what I can tell in these threads and others, WP is pointing fingers at Cloudflare and saying they need to fix their WAF.
I’m not buying it!!!
I just don’t believe this many plugins and services, all of whom are using WP’s own guidelines for connecting to the REST API, could be triggering so many false flags.
I think WP and Cloudflare need to get in a room and hammer out problems on both sides.
There’s something wrong with the way WP is processing the requests.
I hold up adding an image to a page as an example.
Why in the world would it work for a post and not a page?
The only difference is the way WP processes the request between the two.
It’s an internal API call or process that needs to be checked.
What To Do
While I’m not crazy about whitelisting things to run end around our security, it’s the only temporary fix we have.
Who knows how long it will take WP to address this issue.
At least they are gathering a collection of those issues reported on GitHub.
But, as long as they continue to see it as a problem for the plugin and security service devs, I don’t think we’ll see any movement on it.
When they are willing to consider that something may be amiss in the WP core, we may actually get some fixes going.
Have You Run Into This Issue?
Leave a comment and let us know where you’ve hit a connection snag, or things that you’ve had to whitelist to run end around it.

Thanks for always keeping us informed MaAnna. I have not had this issue yet.
I have a similar issue in Drupal. I opened a ticket with Cloudless Enterprise Support , let’s see what they come up with.