New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CloudFlare blocking REST API PUT Request (Draft Doesn't Get Saved) (solved by an update from Cloudflare) #2704

Closed
ahmadawais opened this Issue Sep 8, 2017 · 79 comments

Comments

@ahmadawais
Contributor

ahmadawais commented Sep 8, 2017

[UPDATE: Cloudflare rolled out a fix for problems with the WP0025B rule 8-Aug-2018, please update.]

I have started to try Gutenberg on a production site and it is not working. The site is new and has no other plugin installed. Looks like the PUT request is not working.

https://i.imgur.com/tElNhnU.png

I am using the latest version of Gutenberg 1.1.0 available in the WP Repo.
I have also tried this on two other sites and same error.
I thought I should report it here?

@toddhalfpenny

This comment has been minimized.

Show comment
Hide comment
@toddhalfpenny

toddhalfpenny Sep 8, 2017

I have a sneaking suspicion that this is actually not a Gutenberg fault, but a deeper one with the REST api.
Do you have the basic permalinks set? If so, try swapping to a custom permalink and give it another go.
I wrote up some details (with links to tracs etc) when I ran into this symtom.

toddhalfpenny commented Sep 8, 2017

I have a sneaking suspicion that this is actually not a Gutenberg fault, but a deeper one with the REST api.
Do you have the basic permalinks set? If so, try swapping to a custom permalink and give it another go.
I wrote up some details (with links to tracs etc) when I ran into this symtom.

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Sep 8, 2017

Contributor

Yeah, I have pretty permalinks set up. I even used a front end post submission plugin that's built with REST API and it works.

Contributor

ahmadawais commented Sep 8, 2017

Yeah, I have pretty permalinks set up. I even used a front end post submission plugin that's built with REST API and it works.

@westonruter

This comment has been minimized.

Show comment
Hide comment
@westonruter

westonruter Sep 8, 2017

Member

This may be a duplicate of #1935.

Member

westonruter commented Sep 8, 2017

This may be a duplicate of #1935.

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Sep 9, 2017

Contributor

@westonruter I'm afraid you're right. Looks like there's an issue with the PUT request as it returns a 403.

PUT https://a2podcast.com/wp-json/wp/v2/posts/44 403 ()

for

load-scripts.php?c=0&load[]=jquery-core,jquery-migrate,utils,underscore,backbone,wp-util,wp-backbone,media-models,plupload,wp-plupload,jquery-ui-core,jquery&load[]=-ui-widget,jquery-ui-mouse,jquery-ui-sortable,mediaelement,wp-mediaelement,media-views&ver=4.8.1:4
Contributor

ahmadawais commented Sep 9, 2017

@westonruter I'm afraid you're right. Looks like there's an issue with the PUT request as it returns a 403.

PUT https://a2podcast.com/wp-json/wp/v2/posts/44 403 ()

for

load-scripts.php?c=0&load[]=jquery-core,jquery-migrate,utils,underscore,backbone,wp-util,wp-backbone,media-models,plupload,wp-plupload,jquery-ui-core,jquery&load[]=-ui-widget,jquery-ui-mouse,jquery-ui-sortable,mediaelement,wp-mediaelement,media-views&ver=4.8.1:4
@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Sep 9, 2017

Contributor

If I log XMLHttpRequests then this is the message I get.

XHR failed loading: PUT "https://a2podcast.com/wp-json/wp/v2/posts/46".

screenshot 2017-09-09 13 03 57

Contributor

ahmadawais commented Sep 9, 2017

If I log XMLHttpRequests then this is the message I get.

XHR failed loading: PUT "https://a2podcast.com/wp-json/wp/v2/posts/46".

screenshot 2017-09-09 13 03 57

@rmccue

This comment has been minimized.

Show comment
Hide comment
@rmccue

rmccue Sep 10, 2017

Contributor

What is the request/response data for the API request?

Contributor

rmccue commented Sep 10, 2017

What is the request/response data for the API request?

@JustinSainton

This comment has been minimized.

Show comment
Hide comment
@JustinSainton

JustinSainton Sep 10, 2017

Tried logging the actual API req/res objects via REST API Log plugin, but no dice. Maybe this is insightful in the meantime?

https://cloudup.com/cL5lSmvZize

JustinSainton commented Sep 10, 2017

Tried logging the actual API req/res objects via REST API Log plugin, but no dice. Maybe this is insightful in the meantime?

https://cloudup.com/cL5lSmvZize

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Sep 12, 2017

Contributor

@rmccue I have the similar log as of @JustinSainton

https://i.imgur.com/hRi9cWJ.png
https://i.imgur.com/ZXcRBgJ.png

It still doesn't work.

Contributor

ahmadawais commented Sep 12, 2017

@rmccue I have the similar log as of @JustinSainton

https://i.imgur.com/hRi9cWJ.png
https://i.imgur.com/ZXcRBgJ.png

It still doesn't work.

@rmccue

This comment has been minimized.

Show comment
Hide comment
@rmccue

rmccue Sep 12, 2017

Contributor

What is the response payload that accompanies this?

Contributor

rmccue commented Sep 12, 2017

What is the response payload that accompanies this?

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Sep 12, 2017

Contributor

@rmccue Thanks for asking the right question. I haven't looked at the response payload.

Turns out CloudFlare is the reason why this is happening.

The response payload is this
https://i.imgur.com/nZWecJR.png

I disabled CloudFlare on one of my domains to check if this works and it did. But this again is a big problem. So many sites are hosted on CloudFlare. I am currently looking into what is causing CloudFlare to ban the IP for adding a draft via Gutenberg. Looks like the Browser Integrity Check where it's banning a headless call. Which shouldn't be banned.

I have no page rules set. Nothing. Looks like default configurations of CloudFlare are banning the API from posting via Gutenberg.

Contributor

ahmadawais commented Sep 12, 2017

@rmccue Thanks for asking the right question. I haven't looked at the response payload.

Turns out CloudFlare is the reason why this is happening.

The response payload is this
https://i.imgur.com/nZWecJR.png

I disabled CloudFlare on one of my domains to check if this works and it did. But this again is a big problem. So many sites are hosted on CloudFlare. I am currently looking into what is causing CloudFlare to ban the IP for adding a draft via Gutenberg. Looks like the Browser Integrity Check where it's banning a headless call. Which shouldn't be banned.

I have no page rules set. Nothing. Looks like default configurations of CloudFlare are banning the API from posting via Gutenberg.

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Sep 12, 2017

Contributor

Looks like CloudFlare has a globally enabled rule set in WAF — even for free users — that no one can even disable (AFAIK).

Here are the details https://blog.cloudflare.com/protecting-everyone-from-wordpress-content-injection/

https://i.imgur.com/8SbZpYK.png

https://i.imgur.com/EJ7S5O4.png

I wonder if @aaroncampbell could help with this — I can see his comments on the post.

Looking forward!

Contributor

ahmadawais commented Sep 12, 2017

Looks like CloudFlare has a globally enabled rule set in WAF — even for free users — that no one can even disable (AFAIK).

Here are the details https://blog.cloudflare.com/protecting-everyone-from-wordpress-content-injection/

https://i.imgur.com/8SbZpYK.png

https://i.imgur.com/EJ7S5O4.png

I wonder if @aaroncampbell could help with this — I can see his comments on the post.

Looking forward!

@JustinSainton

This comment has been minimized.

Show comment
Hide comment
@JustinSainton

JustinSainton Sep 12, 2017

I'm not using Cloudflare, but this is interesting. I suppose something at the server-level with the host (We're on Siteground) could be blocking PUT requests. I'll ask them about this.

JustinSainton commented Sep 12, 2017

I'm not using Cloudflare, but this is interesting. I suppose something at the server-level with the host (We're on Siteground) could be blocking PUT requests. I'll ask them about this.

@JustinSainton

This comment has been minimized.

Show comment
Hide comment
@JustinSainton

JustinSainton Sep 12, 2017

@rmccue And my response payload is the CPanel 403 HTML response, fwiw:

https://cloudup.com/cUJByQ-troP

JustinSainton commented Sep 12, 2017

@rmccue And my response payload is the CPanel 403 HTML response, fwiw:

https://cloudup.com/cUJByQ-troP

@rmccue

This comment has been minimized.

Show comment
Hide comment
@rmccue

rmccue Sep 13, 2017

Contributor

Interesting. Based on this, it seems like it may be a REST API issue with these hosts. We may need to reach out and see about fixing this.

If you switch Gutenberg to use POST instead of PUT, does this still occur? (The API accepts POST everywhere it accepts PUT, but you can also do POST ?_method=PUT to simulate an actual PUT on the backend.)

Contributor

rmccue commented Sep 13, 2017

Interesting. Based on this, it seems like it may be a REST API issue with these hosts. We may need to reach out and see about fixing this.

If you switch Gutenberg to use POST instead of PUT, does this still occur? (The API accepts POST everywhere it accepts PUT, but you can also do POST ?_method=PUT to simulate an actual PUT on the backend.)

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Sep 13, 2017

Contributor

@rmccue How do you propose would one switch from PUT to POST in Gutenberg?

Contributor

ahmadawais commented Sep 13, 2017

@rmccue How do you propose would one switch from PUT to POST in Gutenberg?

@BE-Webdesign

This comment has been minimized.

Show comment
Hide comment
@BE-Webdesign

BE-Webdesign Sep 13, 2017

Contributor

@ahmadawais

Do the same PUT request you are doing as a POST request instead and add the request arg _method=PUT. This will trigger the x-http-method-override header so that the REST API will know you really mean PUT even though the server can't handle PUT and only wants to use POST requests. You can do the same for DELETE. For Gutenberg you can monkey patch the wp.api requests to use the method override. That would be a temporary solution, while this is figured out for the larger context of how the REST API will be used in this project and other areas of core.

Contributor

BE-Webdesign commented Sep 13, 2017

@ahmadawais

Do the same PUT request you are doing as a POST request instead and add the request arg _method=PUT. This will trigger the x-http-method-override header so that the REST API will know you really mean PUT even though the server can't handle PUT and only wants to use POST requests. You can do the same for DELETE. For Gutenberg you can monkey patch the wp.api requests to use the method override. That would be a temporary solution, while this is figured out for the larger context of how the REST API will be used in this project and other areas of core.

@JustinSainton

This comment has been minimized.

Show comment
Hide comment
@JustinSainton

JustinSainton Sep 13, 2017

@rmccue Found the source. In our case, Siteground had put the following block in our .htaccess file

    # Block Request Method #
    RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|options|put|trace|track) [NC]
    RewriteRule .* - [F]

This was the root cause of the issue. I hadn't had the opportunity to attempt anything to prove the case, but I assume the DELETE and OPTIONS methods would have also failed.

JustinSainton commented Sep 13, 2017

@rmccue Found the source. In our case, Siteground had put the following block in our .htaccess file

    # Block Request Method #
    RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|options|put|trace|track) [NC]
    RewriteRule .* - [F]

This was the root cause of the issue. I hadn't had the opportunity to attempt anything to prove the case, but I assume the DELETE and OPTIONS methods would have also failed.

@rmccue

This comment has been minimized.

Show comment
Hide comment
@rmccue

rmccue Sep 14, 2017

Contributor

@JustinSainton Nice digging! DELETE, OPTIONS, and PUT all need to be whitelisted for the API (OPTIONS is used by browsers automatically for cross-origin requests).

Was this specific to your site, or a SiteGround-wide thing? If the latter, I'll try and follow up with them.

Contributor

rmccue commented Sep 14, 2017

@JustinSainton Nice digging! DELETE, OPTIONS, and PUT all need to be whitelisted for the API (OPTIONS is used by browsers automatically for cross-origin requests).

Was this specific to your site, or a SiteGround-wide thing? If the latter, I'll try and follow up with them.

@JustinSainton

This comment has been minimized.

Show comment
Hide comment
@JustinSainton

JustinSainton Sep 14, 2017

@rmccue I'm not certain whether or not this is SiteGround-wide or not - I vaguely recall their support team modifying our htaccess file years ago, for some reason. So it may not be that widespread, but certainly feels like something to account for and educate hosts on.

JustinSainton commented Sep 14, 2017

@rmccue I'm not certain whether or not this is SiteGround-wide or not - I vaguely recall their support team modifying our htaccess file years ago, for some reason. So it may not be that widespread, but certainly feels like something to account for and educate hosts on.

@m

This comment has been minimized.

Show comment
Hide comment
@m

m Sep 19, 2017

Member

This definitely gives pause when you consider what it means for broader use of the REST API.

First-party use of all the API methods in core in wp-admin (with helpful error messages) would expose and get these fixed very quickly.

Member

m commented Sep 19, 2017

This definitely gives pause when you consider what it means for broader use of the REST API.

First-party use of all the API methods in core in wp-admin (with helpful error messages) would expose and get these fixed very quickly.

@rmccue

This comment has been minimized.

Show comment
Hide comment
@rmccue

rmccue Sep 20, 2017

Contributor

This has come up once or twice before (IIRC, GoDaddy and WP Engine), and the hosts are usually pretty responsive. Luckily, blocking methods tends to be a thing that only the big hosts do for "protection". Will definitely follow this up with SG to find out if it's a local or global thing.

(A bigger concern there is authentication, which is much worse, but not relevant to built-in stuff like Gutenberg.)

Contributor

rmccue commented Sep 20, 2017

This has come up once or twice before (IIRC, GoDaddy and WP Engine), and the hosts are usually pretty responsive. Luckily, blocking methods tends to be a thing that only the big hosts do for "protection". Will definitely follow this up with SG to find out if it's a local or global thing.

(A bigger concern there is authentication, which is much worse, but not relevant to built-in stuff like Gutenberg.)

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Sep 20, 2017

Contributor

@rmccue

A bigger concern there is authentication, which is much worse, but not relevant to built-in stuff like Gutenberg.

Couldn't agree more.

But as Matt suggested, having Gutenberg depend on WP REST API will lay the groundwork for better REST API enabled future for WordPress apps.

Contributor

ahmadawais commented Sep 20, 2017

@rmccue

A bigger concern there is authentication, which is much worse, but not relevant to built-in stuff like Gutenberg.

Couldn't agree more.

But as Matt suggested, having Gutenberg depend on WP REST API will lay the groundwork for better REST API enabled future for WordPress apps.

@lkraav

This comment has been minimized.

Show comment
Hide comment
@lkraav

lkraav Sep 28, 2017

This is fairly certainly a duplicate of #2565

lkraav commented Sep 28, 2017

This is fairly certainly a duplicate of #2565

@CantonJester

This comment has been minimized.

Show comment
Hide comment
@CantonJester

CantonJester Oct 10, 2017

@JustinSainton - I'm on SiteGround myself and was kicking the tires on Gutenberg earlier this evening on my development site: After an initial publishing of a post, I cannot update the post for the life of me. While I do not think I had my htaccess file edited the way yours was, I'm wondering if something similar is going on.

Looks like I'm off to open a ticket with SiteGround.

CantonJester commented Oct 10, 2017

@JustinSainton - I'm on SiteGround myself and was kicking the tires on Gutenberg earlier this evening on my development site: After an initial publishing of a post, I cannot update the post for the life of me. While I do not think I had my htaccess file edited the way yours was, I'm wondering if something similar is going on.

Looks like I'm off to open a ticket with SiteGround.

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Nov 14, 2017

Contributor

Hey, folks! 🙌
I'm closing this issue based on the fact that after working with CloudFlare's support for two months, I've got it fixed and now CloudFlare sites are able to use Gutenberg without any issues.

Feel free to reopen it if there are other similar issues. 🔥

Contributor

ahmadawais commented Nov 14, 2017

Hey, folks! 🙌
I'm closing this issue based on the fact that after working with CloudFlare's support for two months, I've got it fixed and now CloudFlare sites are able to use Gutenberg without any issues.

Feel free to reopen it if there are other similar issues. 🔥

@pento

This comment has been minimized.

Show comment
Hide comment
@pento

pento Aug 9, 2018

Member

Cloudflare rolled out a fix for this earlier today.

@ahmadawais, @roylindauer: Are you still seeing this issue after removing any workarounds you have in place?

Member

pento commented Aug 9, 2018

Cloudflare rolled out a fix for this earlier today.

@ahmadawais, @roylindauer: Are you still seeing this issue after removing any workarounds you have in place?

@hExPY

This comment has been minimized.

Show comment
Hide comment
@hExPY

hExPY Aug 9, 2018

@pento i reverted all changes and it works perfectly now. Thx for keeping in touch with Cloudflare! :-)

hExPY commented Aug 9, 2018

@pento i reverted all changes and it works perfectly now. Thx for keeping in touch with Cloudflare! :-)

@kurtschlatzer

This comment has been minimized.

Show comment
Hide comment
@kurtschlatzer

kurtschlatzer Aug 10, 2018

Thanks to Cloudflare's fix, my WAF log filled up with garbage "whitelist" entries for our folks working in the wp-admin. Grrrrr. Gutenturd.

kurtschlatzer commented Aug 10, 2018

Thanks to Cloudflare's fix, my WAF log filled up with garbage "whitelist" entries for our folks working in the wp-admin. Grrrrr. Gutenturd.

@caraya

This comment has been minimized.

Show comment
Hide comment
@caraya

caraya Aug 14, 2018

@pento I have no workaround on either my WordPress site or Cloudflare and I'm still experiencing the editing issue.

caraya commented Aug 14, 2018

@pento I have no workaround on either my WordPress site or Cloudflare and I'm still experiencing the editing issue.

@pento

This comment has been minimized.

Show comment
Hide comment
@pento

pento Aug 14, 2018

Member

@caraya: Is your Cloudflare WAF log indicating which rule is causing requests to be blocked?

Member

pento commented Aug 14, 2018

@caraya: Is your Cloudflare WAF log indicating which rule is causing requests to be blocked?

@caraya

This comment has been minimized.

Show comment
Hide comment
@caraya

caraya Aug 14, 2018

It's blocking on 100030 because it's challenging the request.

It appears that Cloudflare's patch wasn't fully propagated yet. It is working.

Sorry for the noise

caraya commented Aug 14, 2018

It's blocking on 100030 because it's challenging the request.

It appears that Cloudflare's patch wasn't fully propagated yet. It is working.

Sorry for the noise

@pento

This comment has been minimized.

Show comment
Hide comment
@pento

pento Aug 15, 2018

Member

Thanks @caraya, this seems to be a different problem to the one Cloudflare has fixed. Rule 100030 is meant to block XSS probing attacks, I would guess that Cloudflare is interpreting the block format (particularly is it contains HTML comments, JSON, and string escaping) as XSS risks.

Which site are you seeing this on, @caraya? I'll follow up with Cloudflare and get them to investigate.

Member

pento commented Aug 15, 2018

Thanks @caraya, this seems to be a different problem to the one Cloudflare has fixed. Rule 100030 is meant to block XSS probing attacks, I would guess that Cloudflare is interpreting the block format (particularly is it contains HTML comments, JSON, and string escaping) as XSS risks.

Which site are you seeing this on, @caraya? I'll follow up with Cloudflare and get them to investigate.

@kesenwang

This comment has been minimized.

Show comment
Hide comment
@kesenwang

kesenwang Aug 15, 2018

The issue is still happening as well on our Wordpress site, disabled both rules in cloudflare as per the guideline but doesn’t seem to have an effect. Actually some rules in cloudflares WAF seem to not actually disable I’m not sure but in terms of whitelisting as well I’ve whitelisted all of Taiwan just out of frustration because cloudflare kept blocking my ip despite whitelisting all Taiwanese ips. Anyways hopefully there is a fix for this soon.

kesenwang commented Aug 15, 2018

The issue is still happening as well on our Wordpress site, disabled both rules in cloudflare as per the guideline but doesn’t seem to have an effect. Actually some rules in cloudflares WAF seem to not actually disable I’m not sure but in terms of whitelisting as well I’ve whitelisted all of Taiwan just out of frustration because cloudflare kept blocking my ip despite whitelisting all Taiwanese ips. Anyways hopefully there is a fix for this soon.

@caraya

This comment has been minimized.

Show comment
Hide comment
@caraya

caraya Aug 16, 2018

@pento the site is https://publishing-project.rivendellweb.net/

I have a ticket open with Cloudflare on this issue. I have not had an ETA for resolution, but more pressure doesn't hurt :)

caraya commented Aug 16, 2018

@pento the site is https://publishing-project.rivendellweb.net/

I have a ticket open with Cloudflare on this issue. I have not had an ETA for resolution, but more pressure doesn't hurt :)

@designsimply designsimply changed the title from CloudFlare blocking REST API PUT Request (Draft Doesn't Get Saved) to CloudFlare blocking REST API PUT Request (Draft Doesn't Get Saved) (solved by an update from Cloudflare) Aug 20, 2018

@kesenwang

This comment has been minimized.

Show comment
Hide comment
@kesenwang

kesenwang Sep 11, 2018

How is this issue closed? I’ve disabled both rules in Cloudflare Pro plan and the rules are still blocking the Rest Api

kesenwang commented Sep 11, 2018

How is this issue closed? I’ve disabled both rules in Cloudflare Pro plan and the rules are still blocking the Rest Api

@pento

This comment has been minimized.

Show comment
Hide comment
@pento

pento Sep 12, 2018

Member

@kesenwang: The firewall log should indicate which rule is blocking requests: could you have a look and see which one it is?

Member

pento commented Sep 12, 2018

@kesenwang: The firewall log should indicate which rule is blocking requests: could you have a look and see which one it is?

@mikepinto81

This comment has been minimized.

Show comment
Hide comment
@mikepinto81

mikepinto81 Sep 13, 2018

Don't use cloudflare. Use Siteground. Have this issue. Disabled ALL plugins. Use default Wordpress theme.
Console shows this error:
POST https://tcwprintshop.com/wp-json/wp/v2/posts/1326 403 ()

Network shows similar 403 error:
1326 | 403 | fetch | index.js?ver=1536783125:1

mikepinto81 commented Sep 13, 2018

Don't use cloudflare. Use Siteground. Have this issue. Disabled ALL plugins. Use default Wordpress theme.
Console shows this error:
POST https://tcwprintshop.com/wp-json/wp/v2/posts/1326 403 ()

Network shows similar 403 error:
1326 | 403 | fetch | index.js?ver=1536783125:1

@caraya

This comment has been minimized.

Show comment
Hide comment
@caraya

caraya Sep 13, 2018

@mikepinto81 do you run a firewall? Do your server logs report anything else other the 403 error? This may or may not be a Gutenberg problem so the more information you can add to the report the more it'll help troubleshoot.

caraya commented Sep 13, 2018

@mikepinto81 do you run a firewall? Do your server logs report anything else other the 403 error? This may or may not be a Gutenberg problem so the more information you can add to the report the more it'll help troubleshoot.

@mikepinto81

This comment has been minimized.

Show comment
Hide comment
@mikepinto81

mikepinto81 Sep 13, 2018

mikepinto81 commented Sep 13, 2018

@JustinSainton

This comment has been minimized.

Show comment
Hide comment
@JustinSainton

JustinSainton Sep 13, 2018

@mikepinto81 Have you looked at your htaccess file? See my similar issue here: #2704 (comment)

JustinSainton commented Sep 13, 2018

@mikepinto81 Have you looked at your htaccess file? See my similar issue here: #2704 (comment)

@mikepinto81

This comment has been minimized.

Show comment
Hide comment
@mikepinto81

mikepinto81 Sep 14, 2018

@JustinSainton unfortunately we even tried resetting to default htaccess and no difference. What is really confusing is how this only affects Posts and not Pages.

mikepinto81 commented Sep 14, 2018

@JustinSainton unfortunately we even tried resetting to default htaccess and no difference. What is really confusing is how this only affects Posts and not Pages.

@Tomplanmytrip

This comment has been minimized.

Show comment
Hide comment
@Tomplanmytrip

Tomplanmytrip Sep 18, 2018

Hey Guys!

I'm using Cloudflare Pro and Gutenberg

I disabled WP0025A and WP0025B as they recommend but it's still not working

I've the same pb than Caraya

Rule ID Action Taken IP Address Loc. Host Date  
100030 Challenge www.tomplanmytrip.com 22 minutes ago Details

Any updates?

Thx!

screen shot 2018-09-18 at 6 51 57 am

Tomplanmytrip commented Sep 18, 2018

Hey Guys!

I'm using Cloudflare Pro and Gutenberg

I disabled WP0025A and WP0025B as they recommend but it's still not working

I've the same pb than Caraya

Rule ID Action Taken IP Address Loc. Host Date  
100030 Challenge www.tomplanmytrip.com 22 minutes ago Details

Any updates?

Thx!

screen shot 2018-09-18 at 6 51 57 am

@pento

This comment has been minimized.

Show comment
Hide comment
@pento

pento Sep 18, 2018

Member

Thank you for the info, @Tomplanmytrip. Rule 100030 is intended to block XSS probing attacks, it seems like Cloudflare is mistaking the post_content combination of HTML comments and serialised JSON as being an attempt to create an XSS attack.

This is going to be a little trickier to fix, I'll raise it with Cloudflare to get their input on it.

Member

pento commented Sep 18, 2018

Thank you for the info, @Tomplanmytrip. Rule 100030 is intended to block XSS probing attacks, it seems like Cloudflare is mistaking the post_content combination of HTML comments and serialised JSON as being an attempt to create an XSS attack.

This is going to be a little trickier to fix, I'll raise it with Cloudflare to get their input on it.

@Tomplanmytrip

This comment has been minimized.

Show comment
Hide comment
@Tomplanmytrip

Tomplanmytrip Sep 18, 2018

Ok thank you Pento :)

I've got the following mistakes in my developer tool

Failed to load resource: the server responded with a status of 400 ()

autosaves:1 Failed to load resource: the server responded with a status of 405 () -> I get the following message if I click on it: script>var wpgmza_google_api_status = {"message":"Enqueued","code":"ENQUEUED"}</script><script>var wpgmza_google_api_status = {"message":"Enqueued","code":"ENQUEUED"}</script>

start:1 Failed to load resource: the server responded with a status of 400 () -> I get the following message if I click on it: {"status":400,"error":"BadRequestError: Missing content-type"}

Is my plugin WP-map the problem?

Edit: Yes, Wp-Map is the issue. It works now. Any idea how to fix it?

Also, I have the similar problem If I'm using A getyourguide widget with the following code:

<script async defer src="https://widget.getyourguide.com/v2/widget.js"></script>

Tomplanmytrip commented Sep 18, 2018

Ok thank you Pento :)

I've got the following mistakes in my developer tool

Failed to load resource: the server responded with a status of 400 ()

autosaves:1 Failed to load resource: the server responded with a status of 405 () -> I get the following message if I click on it: script>var wpgmza_google_api_status = {"message":"Enqueued","code":"ENQUEUED"}</script><script>var wpgmza_google_api_status = {"message":"Enqueued","code":"ENQUEUED"}</script>

start:1 Failed to load resource: the server responded with a status of 400 () -> I get the following message if I click on it: {"status":400,"error":"BadRequestError: Missing content-type"}

Is my plugin WP-map the problem?

Edit: Yes, Wp-Map is the issue. It works now. Any idea how to fix it?

Also, I have the similar problem If I'm using A getyourguide widget with the following code:

<script async defer src="https://widget.getyourguide.com/v2/widget.js"></script>
@pento

This comment has been minimized.

Show comment
Hide comment
@pento

pento Sep 18, 2018

Member

I'd be interested to know if disabling a particular plugin makes the problem go away, but either way, we do need to figure out a way for Cloudflare to not be blocking legit requests. 🙂

Member

pento commented Sep 18, 2018

I'd be interested to know if disabling a particular plugin makes the problem go away, but either way, we do need to figure out a way for Cloudflare to not be blocking legit requests. 🙂

@Gatewayy

This comment has been minimized.

Show comment
Hide comment
@Gatewayy

Gatewayy Sep 18, 2018

The only thing that has worked for me so far is to whitelist the IP from the WAF area of the Firewall settings from the CF web admin.

image

Gatewayy commented Sep 18, 2018

The only thing that has worked for me so far is to whitelist the IP from the WAF area of the Firewall settings from the CF web admin.

image

@caraya

This comment has been minimized.

Show comment
Hide comment
@caraya

caraya Sep 19, 2018

Do your web server error logs give anything related to this? I don't think this is a Cloudflare-related issue. I experienced it too but mine was caused by a mod_security my host did without telling me :(

caraya commented Sep 19, 2018

Do your web server error logs give anything related to this? I don't think this is a Cloudflare-related issue. I experienced it too but mine was caused by a mod_security my host did without telling me :(

@mikepinto81

This comment has been minimized.

Show comment
Hide comment
@mikepinto81

mikepinto81 Sep 19, 2018

My issue I found was caused by the fact that I migrated the site from another install. The previous install had Wordfence installed and was using a php.ini var (auto_prepend_file). After uninstalling Wordfence I didn't realize there was still the php.ini file auto_prepend_file still pointing to the old install. This was causing the issue. I use Siteground and it took 3 different support people to help me hunt this down as for some reason the error logs were not giving hints to where the block was coming from.

mikepinto81 commented Sep 19, 2018

My issue I found was caused by the fact that I migrated the site from another install. The previous install had Wordfence installed and was using a php.ini var (auto_prepend_file). After uninstalling Wordfence I didn't realize there was still the php.ini file auto_prepend_file still pointing to the old install. This was causing the issue. I use Siteground and it took 3 different support people to help me hunt this down as for some reason the error logs were not giving hints to where the block was coming from.

@Tomplanmytrip

This comment has been minimized.

Show comment
Hide comment
@Tomplanmytrip

Tomplanmytrip Sep 19, 2018

@Gatewayy Thx :) Do you mean I should Whitelist my IP?

Also, WP-Map wasn't the only problem.

1 hour later, I couldn't update my post, neither use the autosaves. So I lost my post. I uninstalled Gutenberg for now.

@caraya - I dunno. Is it working now for you?

Tomplanmytrip commented Sep 19, 2018

@Gatewayy Thx :) Do you mean I should Whitelist my IP?

Also, WP-Map wasn't the only problem.

1 hour later, I couldn't update my post, neither use the autosaves. So I lost my post. I uninstalled Gutenberg for now.

@caraya - I dunno. Is it working now for you?

@caraya

This comment has been minimized.

Show comment
Hide comment
@caraya

caraya Sep 19, 2018

Yes, it did.

That's why I asked about your regular server error logs, it may say something other than Gutenberg or Wordpress related. If you can track the logs or have your host help you with that it might be helpful to troubleshoot the problem.

I would hold off whitelisting your IP (there will be many you'll have to whitelist if you choose to do so) until you test Gutenberg in your installation after the Wordfence fix.

Whitelisting all of the US as @Gatewayy did opens your server all kinds of attacks. His issue is also specific to Cloudflare firewall so until you test and are sure it doesn't work, it won't be necessary to whitelist anything.

caraya commented Sep 19, 2018

Yes, it did.

That's why I asked about your regular server error logs, it may say something other than Gutenberg or Wordpress related. If you can track the logs or have your host help you with that it might be helpful to troubleshoot the problem.

I would hold off whitelisting your IP (there will be many you'll have to whitelist if you choose to do so) until you test Gutenberg in your installation after the Wordfence fix.

Whitelisting all of the US as @Gatewayy did opens your server all kinds of attacks. His issue is also specific to Cloudflare firewall so until you test and are sure it doesn't work, it won't be necessary to whitelist anything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment