Cloudflare’s Bot Fight Mode and Under Attack Mode are great for stopping malicious traffic but they also challenge legitimate REST API calls from WordPress for Cowork. If your /wp-setup hangs or times out and you have Cloudflare in front of your site, this is the most likely cause.
How to confirm Cloudflare is the cause
- Open the Cloudflare dashboard for your domain.
- Go to Security → Events.
- Look for blocked or challenged requests to
/wp-json/coworkmcp/v1/mcpor/wp-json/wp/v2/*. If you see them, Cloudflare is the gatekeeper.
Fixes (pick one)
Option 1 (recommended): bypass the WAF on the MCP route
- Cloudflare → Security → WAF → Custom rules → Create rule.
- Field: URI Path. Operator: contains. Value:
/wp-json/coworkmcp/. - Action: Skip → tick “All remaining custom rules”, “Bot Fight Mode”, “Rate Limiting”, “Managed Rules”.
- Save.
This is the most surgical fix — the rest of your site keeps the full Cloudflare protection, only the MCP route is exempt.
Option 2: turn off Bot Fight Mode entirely
Cloudflare → Security → Bots → Bot Fight Mode → OFF. Simpler but reduces protection across the whole site.
Option 3: pause Cloudflare during setup
Overview page → Pause Cloudflare on Site. Run /wp-setup. Once paired successfully, re-enable Cloudflare. Cowork Bridge stores the pairing locally so subsequent calls keep working with Cloudflare back on (assuming Bot Fight Mode is off or the route is bypassed per Option 1).
Under Attack Mode
If you enabled Under Attack Mode recently (security spike), every visitor sees a 5-second challenge page — including the plugin. Turn it off while running /wp-setup and turn it back on after pairing completes.