Cloudflare in front of WordPress can challenge legitimate Cowork Bridge traffic. Two modes to watch.
Under Attack Mode
If you enabled Under Attack Mode, every visitor sees a 5-second challenge — including Cowork Bridge requests, which times them out.
Turn it off during initial /wp-setup. Re-enable after pairing if you genuinely need it (it’s a heavy mode meant for active attacks).
Bot Fight Mode
Bot Fight Mode challenges traffic Cloudflare’s heuristics flag as bot-like. Cowork Bridge’s REST calls can occasionally get flagged. Full walk-through with the surgical bypass rule is in Cloudflare blocking the plugin (Bot Fight Mode).
The fast fix during setup
Cloudflare → Overview → Pause Cloudflare on Site. Run /wp-setup. Re-enable Cloudflare once paired. Cowork Bridge stores pairing locally, so subsequent calls keep working with Cloudflare back on (assuming Bot Fight Mode is off or the MCP route is bypassed).
WAF rules
If you’ve written custom WAF rules that block /wp-json/*, add an exception for /wp-json/coworkmcp/* using a Skip action.