Help/troubleshooting
troubleshooting

Allow PowerSEC through Cloudflare or a firewall

Updated July 13, 2026 1 views 0 found this helpful

When a firewall, a security service, or Cloudflare sits in front of your site, it can sometimes block PowerSEC's requests — the site stays online and its own monitoring keeps reporting in, but actions sent from PowerSEC to your site (running a scan, refreshing your backup list, creating a backup on demand) can be delayed or fail.

PowerSEC shows a notice on the site's page when this happens, and current plugin versions automatically switch to fetching pending actions in the background — so things keep working, just up to a minute or two slower. Allowing PowerSEC through removes the delay entirely.

How PowerSEC connects to your site

PowerSEC only ever calls your site's own PowerSEC plugin endpoints, under this path:

/wp-json/powersec/v1/*

Every request is signed (HMAC) and identifies itself with this User-Agent:

PowerSEC-Central/1.0 (+https://powersec.io/security)

If your site uses Cloudflare

  1. Open the Cloudflare dashboard for your domain.
  2. Go to Security → WAF → Custom rules and create a new rule:
    • If: URI Path starts with /wp-json/powersec/
    • Then: Skip → tick Bot Fight Mode and Managed Challenge (and Super Bot Fight Mode if shown).
  3. Save the rule. Changes take effect within a minute.

Alternatively, create a rule that skips challenges when the User-Agent equals PowerSEC-Central/1.0 (+https://powersec.io/security).

If your zone uses "I'm Under Attack" mode, the skip rule above still works — it exempts only the PowerSEC plugin path, nothing else.

If your site uses another firewall or a security plugin

  • Allow requests to /wp-json/powersec/v1/*.
  • If the tool supports User-Agent rules, allow PowerSEC-Central/1.0.
  • If a security plugin disables the WordPress REST API, allow the powersec/v1 namespace.

If PowerSEC says the plugin is unreachable

That usually means the PowerSEC plugin was deactivated or its REST routes were disabled. Log in to the site's WordPress admin and make sure the PowerSEC plugin is active.

Is this safe?

Yes. The exemption only applies to PowerSEC's own plugin endpoints, and every request must carry a valid signature that only your site and PowerSEC know — a request without it is rejected by the plugin itself, regardless of the firewall.

Couldn't find what you're looking for?

Browse more articles or reach out to our support team.

Browse all articles Email support