Sucuri’s WordPress-side plugin is fine. Their cloud WAF is the part that can block legitimate Cowork Bridge traffic — and the part you usually have to configure.
Allowlist the MCP path
- Sucuri dashboard → Settings → Whitelist.
- Add
/wp-json/coworkmcp/*to the allowed paths list.
The Sucuri WAF will pass requests to that path through to your origin instead of challenging or blocking them.
Rate limiting
Sucuri’s WAF rate-limits REST API traffic per default. If you’re running a bulk operation (Claude updating 200 products, for example), you may hit it. Either:
- Whitelist your IP under Firewall → Settings → Whitelist URL or IP, or
- Ask Sucuri support to raise the rate limit for legitimate REST API traffic.
If you’re using only Sucuri’s free plugin (no WAF)
No action needed — the free plugin doesn’t gate REST API access.