Hi @pixeler, thanks for getting in touch!
Our free Wordfence Central product requires successful connectivity to your site’s REST API, so we don’t deny access to it in the Wordfence plugin by design.
The IPv6 issue above shouldn’t be a problem as it’s common for certain platforms, such as Cloudflare, to assign an IPv6 address but the host doesn’t allow it to be used. If your IPv4 connectivity and connectivity to our servers look good in your Diagnostics page then scans and rules updates etc. should work fine.
Immediately after being denied access or receiving an unexpected result from the REST API, check for blocks that match up with the request you just made in Live Traffic. After expanding the Live Traffic line, you’ll see the reason given in red text. You might be able to “ADD PARAM TO FIREWALL ALLOWLIST” using the button provided, or alter a setting to allow the requests in future as you know the original request was safe. Sometimes Learning Mode can help allowlist actions for you.
You can read more about both methods above here: https://www.wordfence.com/help/firewall/learning-mode/
Thanks,
Peter.
I came to the conclusion that this option in Additional Optionas -> Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps, is causing it, if I turn it off, the synchronization works.
Hi @pixeler, thank-you for the update.
I had recently seen a conflict with Google Web Stories where the solution was to deactivate the option you mentioned in Wordfence > All Options > Brute Force Protection > Additional Options. I hadn’t gone to this conclusion first in this case as I wasn’t sure of the content/plugins in your case, but I appreciate you bringing it to my attention as the solution.
You are safe to keep that setting turned off if required to keep the REST API communicating with the services you need.
Thanks again,
Peter.
