WF Blocks REST APIs to FluentCRM

Hi @adamverity, thanks for getting in touch about this.

Is FluentCRM still blocked in Learning Mode? If so, it’s unlikely to be a firewall rule, so the block may not show in Live Traffic and therefore the reason why allowlisting manually was ineffective.

The plugin may use the REST API internally, which could mean it’s trying to access users in a way that could be blocked by the option “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps”. This could be blocking the site from listing users if the call wasn’t made by an authenticated user. It may be worth trying to turn that option off in Wordfence > All Options > Brute Force Protection > Additional Options.

I’m not sure which posts precisely you may have already referenced but those would be my two first things to try that may deviate slightly from what you’ve already tried.

Let us know how you get on!
Peter.

Hi Peter,

Thanks for taking the time to help with this.

So far, nothing that I tried, including the above, worked in allowing those REST API calls. The only way I can get the calls to work if I disable WF completely, and that’s something I do NOT want to do.

Any other tricks in your hat that I could try?

Thanks again, Peter.

-Adam

Forgot to mention that incoming REST API calls are being blocked even in Learning Mode, Peter.

The solution, in my case, is to uncheck the “Disable WordPress application passwords” option!