[SOLVED] Cloudflare & WordPress: Getting a 403 when saving?

September 12, 2019

After setting up Cloudflare on your WordPress site, you may run into an Updating Failed error when saving a post or page. The most common reason for this failure - outside of incorrect permalink configuration (which can be fixed by going to wp-admin -> Settings -> Permalinks and simply clicking Save.) - is that Cloudflare is sensitive to requests made over the REST API.

If you look in your browser console for the associated error, you'll see something like:

Failed to load resource: the server responded with a status of 403 () or Failed to load resource: the server responded with a status of 503 ()

If your Cloudflare security settings are set to High/Medium you may see a 403, whereas if they're set to Under Attack mode, you'll see a 503. It's not an automatic failure if you have these settings (at least with High/Medium), it's just more likely to occur - as Cloudflare uses some other data points to determine a "malicious" request.

Rather than lowering your security threshold site-wide, you can implement a Page Rule just for the endpoint that the Gutenberg Editor is trying to access when it wants to make a post. There are 2 endpoints of interest here so you may want to add a Page Rule for each. A free Cloudflare account allows for 3 page rules before you have to purchase more.

Go to the Page Rule page in Cloudflare and click Create Page Rule:

[SOLVED] Cloudflare & WordPress: Getting a 403 when saving to POST /wp-json/wp/v2/posts/, Failed to load resource: the server responded with a status of 403

To address the issue with post content not saving, add the following to where it says If the URL matches (replace 403page.com with your actual domain): https://403.ie/wp-json/wp/v2/*

Then click + Add a setting. From the dropdown under "Then the settings are:", select Security Level and set it to Medium or Low. Then click Save and Deploy. It may take a little time to take effect (30 minutes in some cases).

Even after doing this you may find that while post content now saves without any issue, image uploads through the Gutenberg editor are getting a similar error. You'll just need to add another rule, the same as before, just with a different path (again, replace 403page.com with your actual domain): https://403.ie/wp-content/uploads/*

It's worth noting that you should still be able to upload through the Media Library without that last fix, so keep it in mind while you're waiting for that second page rule to kick in (or have run out of page rule slots in Cloudflare).