Skip to content

Tracking Stopped: A Security Plugin or Firewall Is Blocking the REST API

If your platforms are set up correctly but no events are showing up, and you've already ruled out the role and environment settings, the cause is often something blocking the WordPress REST API.

This one is easy to miss because nothing looks broken in your settings. The tracking just quietly stops.

How Conversion Bridge Records Events

When a visitor loads a page, Conversion Bridge sends a small, anonymous request from their browser back to your own site at /wp-json/conversionbridge/v1/track-event. That request is what records the page in the visitor's conversion journey and triggers any server-side tracking, like the Meta Conversions API.

It works this way on purpose. Sending the request from the browser lets tracking survive on cached pages and lets it wait for cookie consent before anything fires.

The important part: this request comes from logged-out visitors, so the endpoint has to be reachable without anyone logging in. Anything that locks down the REST API for anonymous visitors will block it, and tracking stops.

Signs the REST API Is Being Blocked

A few things point to this cause:

  • No events are recorded anywhere, even though your platforms are connected and your role and environment settings are correct.
  • Both conversion journeys and server-side events (like the Meta CAPI) are affected at once, since they all run through the same request.
  • If you or your developer inspect the site's network activity, the request to /wp-json/conversionbridge/v1/track-event comes back as a 401 or 403 instead of succeeding, or hits a Cloudflare challenge page.
  • The Conversion Bridge log shows no outgoing server-side calls, because the request that triggers them never reached the plugin.

Confirm the REST API Is Blocked

Two quick checks will confirm it.

Turn on logging and watch for events

Conversion Bridge has a built-in server log that records events as they happen. This is the most reliable way to check, because it works right through a checkout or funnel where watching the browser isn't practical, and a temporary console setting or URL parameter would drop when the payment gateway redirects.

  1. Go to Settings → Conversion Bridge → Options and turn on Server logging under the Advanced settings.
  2. In a private or incognito window (so you're treated as a real visitor, not a logged-in admin), load a few pages and run a test conversion.
  3. Back on the Options tab, open the log file.

If the log stays empty, the tracking requests aren't reaching your site, which points to something blocking the REST API. If events are being recorded, your tracking is getting through and the problem is elsewhere. See How to debug events: Enable logging for more on the log.

Test the REST API directly

To pinpoint the cause, open your site in a private or incognito window and visit https://yoursite.com/wp-json/ (use your own domain).

A wall of JSON means the REST API is open and working. A 401 error, a "you are not currently logged in" message, or a Cloudflare "Just a moment..." challenge screen means something is restricting the REST API for logged-out visitors. That's what's blocking your tracking.

Common Causes and How to Fix Them

A security plugin disabling the REST API

Several performance and security plugins have an option to disable or restrict the REST API for visitors who aren't logged in. This is meant to reduce spam and probing, but it also blocks Conversion Bridge.

Perfmatters is a common one. Its Disable REST API option returns a 401 for any request from a logged-out visitor. Wordfence, Solid Security, and standalone "Disable REST API" plugins have similar settings.

To fix it, find the setting in that plugin (it's usually labeled something like "Disable REST API" or "Restrict REST API to logged-in users") and turn it off, or set it to allow anonymous access. If the plugin lets you allow specific routes, you can leave the restriction on and add an exception for the conversionbridge/v1 namespace.

Cloudflare (Managed Challenge or Bot Fight Mode)

Cloudflare can answer the tracking request with a "Managed Challenge" (the "Just a moment..." screen). That challenge is built for real people loading a page, so a real visitor's browser can pass it. But the background tracking request runs quietly and can't complete a challenge, so it fails.

Bot Fight Mode and Super Bot Fight Mode cause the same problem.

To fix it, add a WAF rule in your Cloudflare dashboard that skips the challenge for the tracking path. Create a custom rule that matches requests where the URI path contains /wp-json/conversionbridge/ and set the action to Skip, bypassing Managed Challenge and Bot Fight Mode. Once it's live, reload a page and the console error should be gone.

A hosting firewall or WAF

Some hosts run their own web application firewall that blocks POST requests to /wp-json/. If you've ruled out plugins and Cloudflare, contact your host and ask them to allow POST requests to /wp-json/conversionbridge/v1/track-event.

Verify Tracking Is Working Again

With Server logging still on, load a few pages and run a test conversion as a logged-out visitor, then check the log file on the Settings → Conversion Bridge → Options tab. If it's recording events again, the requests are reaching your site and tracking is working.

Purchases and other one-time events only fire once per order, so if you've already placed a test order it won't fire again on a reload. Add ?cb_force_event=1 to the thank-you page URL to re-fire the event without creating a new order. The How to Confirm Conversions are Tracking guide covers the full set of testing tools.

If the log is still empty after your fix, work back through the Tracking Not Showing on My Site guide to rule out the role and environment settings.

Still need help?

If you have not yet found your answer in the documentation articles, please contact support

Contact support