contact_mailContact Form 7•apiREST APIerror403infoajaxsecurityfirewallcloudcloudflare•labelCommon•warningModerate

Contact Form 7: Form submission blocked by Cloudflare.

Contact Form 7 submits data through an AJAX POST request to the WordPress REST endpoint /wp-json/contact-form-7/v1/contact-forms/*/feedback. Cloudflare sits between the visitor and the origin server and inspects every request.

Cloudflare firewall rules evaluate the request against patterns for bad bots, SQL injection, cross‑site scripting, and generic REST API protection. When a rule matches, Cloudflare returns a 403 response that includes the text “Form submission blocked by Cloudflare.” CF7 reads that response and shows the same message inside the form.

Rate‑limit policies or Bot Fight Mode may throttle repeated submissions from the same IP address. The edge server then replies with 429 or 403 status codes, which appear as a blocked form.

Missing or altered User‑Agent or Referer headers also trigger the firewall. Some security plugins strip these headers, causing Cloudflare to treat the request as suspicious.

Turnstile or reCAPTCHA integration that fails verification adds a firewall check. An invalid token or a mismatched SSL/TLS mode (Full vs Full Strict) leads Cloudflare to reject the request, and CF7 reports the block.

Symptoms

[dashicons-warning]

Error message in form

Form displays “Form submission blocked by Cloudflare.” after clicking submit.

[dashicons-email]

No email received

Submission does not generate an email even though the form appears to send.

[dashicons-admin-network]

Network request shows 403

Browser console shows a 403 status and a cf‑ray header for the AJAX POST.

Common Causes

Firewall rule match

Cloudflare WAF rule flags the CF7 REST endpoint as a bad bot or SQLi attempt.

Rate limiting

Repeated submissions exceed a Cloudflare rate‑limit policy, resulting in a blocked response.

Missing headers

User‑Agent or Referer header is absent or altered, causing the request to look suspicious.

Turnstile mis‑configuration

Invalid Turnstile token triggers a firewall rule that denies the request.

SSL/TLS mismatch

Cloudflare operates in a mode that does not match the origin certificate, leading to a 525/526 error interpreted as blocked.

Need this fixed right now?

Don't waste your day debugging. Our experts can Fix your issues in under 2 hours.*

Success Rate

100% Guaranteed

Starting from

$35 /hour

99+

Trusted by Business Owners

“I spent 3 days trying to fix the Elementor loading loop. These guys fixed it in 20 minutes. Lifesavers!”

— Sarah J., Web Designer

Related Issues

Contact Form 7: REST API request failed: 503 Service Unavailable

A 503 Service Unavailable response stops Contact Form 7 from sending data...

apiREST APIerror503descriptioncontact-form-7

Contact Form 7: REST API request failed: 429 Too Many Requests

The form tries to send data through the WordPress REST API. The...

apiREST APIerrorerrorsecurityfirewalldescriptioncontact-form-7settingsserver_configuration

Contact Form 7: REST API request failed: 401 Unauthorized

The form tries to send data via the WordPress REST API. The...

apiREST APIadmin_panel_settingspermissionsdescriptioncontact-form-7lock401

Contact Form 7: File upload error: temporary directory missing

The error appears when Contact Form 7 cannot locate a writable temporary...

codePHPcloud_offupload erroradmin_panel_settingspermissionsdescriptiontemporary filedescriptioncontact-form-7

Contact Form 7: Mail (2) sending failed: PHP mail() function disabled

Contact Form 7 reports a failure for Mail (2) when the PHP...

codePHPerrorerrordescriptioncontact-form-7mailMailsettingsserver_configuration

Contact Form 7: Mail (2) sending failed: SSL certificate verification failed

Contact Form 7 reports a failure when trying to send the secondary...

errorerrorlocksslcodecURLdescriptioncontact-form-7