[RESOLVED] Cloudflare WAF was NOT blocking — App Password is the real path ✅ #1
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Status: ✅ RESOLVED — False alarm
The Cloudflare WAF was NEVER blocking the Contabo IP from the WordPress REST API.
We proved this by testing:
ummah.falahos.my/wp-json/wp/v2/users→ HTTP 200 (public)ummah.falahos.my/wp-json/wp/v2/plugins→ HTTP 401 (needs auth, not blocked)ummah.falahos.my/wp-json/hermes/v1/content/generate→ HTTP 404 (plugin not deployed)The WP REST API was always reachable. The HTTP 401 responses were WordPress asking for authentication — not Cloudflare blocking traffic.
What We Learned
Documented in wiki: https://git.falahos.my/wmj/hermes-cpanel-agent/wiki/Cloudflare-WAF-Bypass-Discovery
What Replaces This
wmj referenced this issue2026-07-03 06:51:19 +00:00
[BLOCKER P0] Cloudflare WAF blocks Contabo 172.17.0.1 from ummah.falahos.my/wp-json/to [RESOLVED] Cloudflare WAF was NOT blocking — App Password is the real path ✅