How to Allow WordPress REST API with Cloudflare

Home / Blog / Tutorials / How to Allow WordPress REST API with Cloudflare

Are you experiencing issues accessing the WordPress REST API while using Cloudflare for your website? Are your third-party website tools unable to connect to your REST API?

If so, you’re not alone. At MRK WP, we encountered a similar challenge when requests from the Yoast AI generator could not access the REST API.

This article will guide you on how to configure Cloudflare to grant third-party tools access to the WordPress REST API.

We have also included a video tutorial to assist you along the way.

Video: How to Allow REST API Access for WordPress with Cloudflare

Watch the video on how to allow access to the REST API on a WordPress site managed by Cloudflare.

Yoast AI Generator blocked by Cloudflare

Cloudflare implements security functionality that blocks bots and other tools from accessing your website and its assets. The WordPress REST API is among the protected assets.

What is the WordPress REST API?

WordPress API is an interface that allows external applications to access data on your WordPress site without logging in. It allows interaction by sending and receiving data via JSON objects.

At MRK WP, we use the Yoast AI feature to generate titles and meta descriptions for our blog posts. This one time, the Yoast AI generator stopped working on our website. It showed an error message that it could not access the REST API.

Our research revealed that Cloudflare was blocking the Yoast AI generator’s requests, preventing it from accessing the REST API.

We have already found a fix for this issue, so you do not need to spend time researching it. Let’s dive into the solutions.

Step-by-step: How to Allow Access to WordPress REST API.

1. Add Custom Page Rule for REST API

The first solution to fixing the issue is creating a custom page rule on your website that accepts calls to the REST API.

To add this custom page rule, log into your Cloudflare account,

  1. Go to your website’s Cloudflare settings.
  2. Proceed to Rules.
  3. Go to Page Rules.
  4. On the Page Rules page, go to “Create a Page Rule.”

Fill in the custom page rule form by following the steps below.

  1. Add the REST API  for your site. This would be www.yoursite.com/wp-json
  2. Disable the security on the REST API endpoint.
  3. Turn off the browser integrity check.
  4. Disable the auto-minifying settings.
  5. Set the security level to off.
  6. Disable the Apps on the endpoint.
  7. Save the page rule.


This page rule is only specific to the WordPress REST API endpoint: /wp-json. This configuration will not affect any other endpoints on your site.

After adding the custom page rule, we tested the solution, but it did not work. Cloudflare continued to block the Yoast AI generator’s requests.

We then tried out another solution.

2. Turn off Bot Fight Mode

Cloudflare has a Bot Fight Mode feature that protects your site from bot requests.

Sometimes, this feature can accidentally block requests from legitimate tools that need the WordPress REST API to work properly.

Turning off Bot Fight Mode could grant third-party tools access to the WordPress REST API. This is a quick fix, but it’s important to remember that WordPress security is still a top priority.

To turn off this security feature,

  1. Go to Security.
  2. Proceed to Bots.
  3. Turn OFF Bot Fight Mode.

The Yoast AI generator worked fine after turning off Bot Fight Mode for our site.


We have seen that you can enable access to the WordPress REST API through two methods. You can create a custom page rule tailored to accept REST API calls and disable Cloudflare’s Bot Fight Mode.

Remember, WordPress security is important, so only disable features if necessary and consider consulting a website security professional like MRK WP for complex setups.

We hope this tutorial has been helpful. Thank you for reading!

Why does Cloudflare block access to the WordPress REST API?

Features like Bot Fight Mode prevent bots from reaching specific endpoints, like the WordPress REST API. Cloudflare implements these security measures to protect your website from malicious activity.

However, this can interfere with third-party tools trying to access your site’s data.

How do I know if Cloudflare is blocking access to the WordPress REST API?

You might see error messages or failed requests saying third-party tools can’t access the REST API.

Do I have to disable all of Cloudflare’s security features?

No, the solutions in this post target specific settings that might be blocking the REST API. Ideally, you can adjust these settings while maintaining a good security posture.