What this error means
Wordfence asks WordPress to POST back to your site (a “loopback request”) to confirm that background tasks and scans can run. If wp_remote_post() can’t reach /wp-admin/admin-ajax.php or is blocked with 403/503/timeout, Diagnostics reports this failure and scans may stall.
Quick checks (1–2 minutes)
- Confirm the failure path: In Wordfence → Tools → Diagnostics → “Connecting back to this site,” expand details and note any HTTP code (403/503/timeout). Also open Tools → Site Health → Status for any Loopback request warnings.
- Temporarily disable: coming-soon/maintenance plugins, HTTP Basic Auth (password protection), or any “geoblocking”/firewall plugin. Re-test Diagnostics.
Fix #1: Cloudflare / CDN rules (most common)
CDNs can block your site’s own requests. Do the following:
- Tell Wordfence it’s behind Cloudflare: Wordfence → All Options → General → Detection → How does Wordfence get IPs → choose “Use the Cloudflare ‘CF-Connecting-IP’ HTTP header to get a visitor IP”. Save.
- Bypass security for AJAX & REST endpoints: In Cloudflare, add a WAF/Firewall rule to Skip security for requests where the URI path contains
/wp-admin/admin-ajax.php or /wp-json/. If you use “Under Attack Mode” or “Bot Fight Mode,” exclude those paths.
- Re-test: Run the Diagnostics test again.
Why this works: Correct IP detection prevents self-requests from looking like “unknown bots,” and the bypass rule lets loopbacks through Cloudflare untouched.
Fix #2: Host WAF / mod_security / server-level blocks
Hosts often enable rules that block admin-ajax.php or POSTs that look automated.
- Ask your host to check error/WAF logs during your loopback test and allowlist
/wp-admin/admin-ajax.php from your server’s own IP (loopback). Mention the Wordfence loopback test specifically.
- Remove duplicate redirects or odd rewrites in
.htaccess that could send admin-ajax.php into a redirect loop.
Fix #3: IPv6/SSL edge cases
Some environments fail loopbacks over IPv6 or with strict SSL validation.
- Use IPv4 for scans: Wordfence → Scan → Scan Options and Scheduling → Advanced Scan Options → enable Use only IPv4. Save.
- Re-test Diagnostics. If you saw an SSL error, ensure the site’s SSL chain is valid; your host can reinstall the certificate bundle if needed.
Fix #4: Maintenance / coming-soon / Basic Auth
Anything that blocks anonymous visitors will also block loopbacks.
- Disable maintenance/coming-soon plugins while testing.
- If the site is HTTP Basic Auth protected, remove it temporarily or configure your server to allow
admin-ajax.php through:
<Files "admin-ajax.php">
Require all granted
</Files>
(Use cautiously; prefer disabling Basic Auth during testing.)
Fix #5: Plugin/theme conflicts
- Temporarily deactivate other security/firewall, rate-limit, or anti-spam plugins, then re-run Diagnostics.
- Switch to a default theme briefly to rule out theme-level blocks (rare).
Fix #6: Turn off remote-start and re-run
Some setups behave better when scans start locally.
- Wordfence → Scan → Scan Options and Scheduling: disable Start all scans remotely.
- Set Maximum execution time per scan stage to a modest value (e.g., 20 seconds), save, then run a scan.
Collect clues if it still fails
- Look for HTTP 403/503 in hosting logs at the exact test time.
- Enable Wordfence Debugging (Tools → Diagnostics → Debugging Options) and re-test to capture details.
- Check Tools → Site Health → Status for Loopback request errors that may point to the culprit.
FAQ
Do I need to open my site to the world? No, only make sure your own site can POST to admin-ajax.php. That’s what the bypass/allow rules do.
Will bypassing AJAX reduce security? Not if you scope it precisely to /wp-admin/admin-ajax.php and keep WordPress/plugins updated. The rule simply prevents your CDN/WAF from blocking legitimate loopbacks.
Do scans work with maintenance mode? Typically no. Loopbacks must be able to reach AJAX without a login wall.
Success check
Return to Wordfence → Tools → Diagnostics. Under “Connecting back to this site,” the test should now succeed. Run a full scan to verify.