403 (Forbidden)

Hi @bibekdocuworx,

I’d be happy to help you troubleshoot this API endpoint issue. Since you’re getting a 403 Forbidden error specifically when accessing individual orders by ID on production, this sounds like it could be related to firewall or security plugin restrictions.

A few quick questions to help narrow this down:

• Are you using any security plugins or firewall services (like Cloudflare, Sucuri, ModSecurity etc.) on your production site?
• Are you using the same API credentials (consumer key/secret) on both localhost and production?
• Does your production have any caching enabled?

The fact that it works for the first couple requests but then fails suggests there might be rate limiting or security measures kicking in after detecting repeated API calls to specific order endpoints.

Hi @bibekdocuworx,

Thanks for the additional details! This definitely sounds like a firewall or security plugin issue on your production site. Since it works fine locally but fails on production after a couple of requests, something is likely blocking your .NET application’s API calls.

Here are a few steps to help identify and resolve this:

First, check what’s blocking the requests:

• Look at your browser’s developer console (F12) when the 403 error occurs – it might show which security service is blocking the request
• Check your hosting provider’s error logs or firewall logs if you have access

If you’re using a security plugin, you’ll need to whitelist the WooCommerce REST API endpoints: https://yourwebsite.com/wp-json/wc/v3/*

Lastly, contact your hosting provider to check if their firewall is blocking the API calls – they might see them as suspicious activity. Some hosting firewalls block repeated API calls thinking they’re DDoS attacks

I hope that helps. Let us know if you need anything else.

Hi @bibekdocuworx,

Interesting. Since your hosting provider has already whitelisted your IP, the issue is likely at the application/plugin level. A few things to try:

1. Does the 403 include any additional headers or error messages that might indicate which service is blocking it?
2. Does it fail on all order IDs or just specific ones?
3. Try adding a small delay (1-2 seconds) between API calls to see if that helps.
4. Do you have access to check what security plugins are installed on the production site?

Lastly, it would be helpful if you could share your system status report so we can review the full environment details. You can find this under WooCommerce, Status, then copy the report and share it via https://pastebin.com, https://quickforget.com, or https://gist.github.com.

I hope that helps. Let us know if you need anything else.

Hi there,

Thanks for the detailed explanation and for sharing the headers and system status report that’s very helpful.

Based on the behavior you’re describing and the response headers you shared (specifically cf-mitigated: challenge), this does not appear to be an issue with the WooCommerce REST API itself. A 403 Forbidden response, especially when requests work initially and then start failing, typically indicates that the requests are being blocked or challenged at the server or firewall level.

A few important points to note:

• The /wp-json/wc/v3/orders endpoint returning successfully while /wp-json/wc/v3/orders/{order_id} fails does not indicate a WooCommerce bug. Both endpoints use the same REST API authentication and permissions internally.
• The presence of cf-mitigated strongly suggests Cloudflare or a similar security/firewall service is actively challenging or blocking repeated requests coming from your production environment.
• Rate limiting can still apply at the firewall level even if no caching or application-level limits are configured, and it may behave differently between environments (localhost vs production IP).

I would suggest you, temporarily disable security plugins or firewall rules (if possible) to confirm whether the blocking stops. Check your hosting provider’s security or WAF logs, as they may be blocking requests automatically after detecting repeated API access.

If that does not work, Since this behavior is environment-specific and tied to a 403 response generated before WooCommerce processes the request, further investigation would need to be done at the server, hosting, or firewall configuration level.

Please note that, our support staff–including myself–are not developers who could offer guidance on the API functionality, as we only offer support for the default features and functionality of our products that do not require any custom code to function or integrate.

If you need more in-depth support or want to consider professional assistance for customization, I can recommend WooExperts and Codeable.io as options for getting professional help.

Alternatively, you can also ask your development questions in the  WooCommerce Community Slack as custom code falls outside our usual scope of support.

Hi @bibekdocuworx,

I can see how frustrating this has been, especially after confirming the IP is whitelisted and narrowing it down specifically to the single order endpoint. You have done a solid job isolating the behavior.

Based on the headers you shared earlier, particularly cf-mitigated: challenge, and now confirming Cloudflare Bot Fight Mode is flagging the requests, this is clearly happening before WooCommerce even processes the request. That explains why /wp-json/wc/v3/orders works while /wp-json/wc/v3/orders/{order_id} starts failing after one or two calls. Cloudflare is likely treating repeated direct object access as automated scraping behavior.

Since disabling Bot Fight Mode resolves it, the goal now is to allow these requests without weakening overall protection. Instead of turning Bot Fight Mode off globally, you can create a targeted Cloudflare rule:

1. Create a WAF custom rule that matches:
   • URI Path contains /wp-json/wc/v3/
   • AND your production server IP
   • OR your specific User Agent used by the .NET application
2. Set the action to Skip for:
   • Bot Fight Mode
   • Security Level
   • Rate Limiting

This allows only your trusted API traffic to bypass the bot challenge while keeping protection enabled for the rest of the site.

You may also consider:

• Using Basic Auth via HTTPS instead of query string authentication if you are not already
• Ensuring your .NET client sends a consistent, clearly identifiable User Agent header
• Enabling Cloudflare logging to confirm which rule is triggering the mitigation

Since the response is a 403 generated at the Cloudflare layer and not by WooCommerce, this confirms the API itself is functioning as expected.

Please try setting up a scoped WAF skip rule instead of disabling Bot Fight Mode globally and let us know how it goes.