If you've entered your WordPress URL, username, and application password β and the form still shows a connection error mentioning Cloudflare's bot protection β your site is sitting behind Cloudflare and it's blocking Penny from reaching the WordPress REST API.
This is normal: Cloudflare flags requests coming from cloud servers (like the AWS infrastructure Marblism runs on) as "bot traffic" by default. Once you tell Cloudflare to let Penny through, everything works.
This guide will walk you through the fix. It takes about 5 minutes and you only need to do it once per WordPress site.
βΉοΈ You'll need access to the Cloudflare dashboard for the affected domain. If you don't have it, send this article to your developer or whoever manages the site's DNS.
π€ How do I know Cloudflare is the issue?
The connection form will show a message starting with:
"This WordPress site is protected by Cloudflare's bot protection, which is blocking our connection from AWS."
If you see that message, this guide is for you. If the error mentions "Authentication failed" or "Unexpected response," the problem is something else β try the main WordPress connection guide first.
π The Fix: Add a Cloudflare Custom Security Rule
You'll create a custom security rule in Cloudflare that tells it to let Penny through. Youβll create this rule under: Security β Security rules β Custom rules.
This rule whitelists the specific IP addresses and User Agent our app uses to reach your WordPress site.
Open the Cloudflare dashboard and click on the domain that runs your WordPress site.
βIn the left sidebar, go to Security β Security rules, then click Create rule and select Custom rules.
[Screenshot: Navigation steps for creating a new custom security rule]
βFill in the form: you will set up three conditions, all joined with And so every condition must match:
βCondition 1 β IP Source Address
Field:
IP Source AddressOperator:
is inValue: paste each of these IPs (press Enter or comma between them):
3.229.80.16634.192.49.19034.232.233.3954.225.66.15398.84.61.58
Click And to add the next condition.
βCondition 2 β User AgentField:
User AgentOperator:
containsValue:
Marblism-WordPress-Connector
Click And to add the next condition.
βCondition 3 β URI PathField:
URI PathOperator:
wildcardValue:
/wp-json/*
Your Expression Preview should read:(ip.src in {3.229.80.166 34.192.49.190 34.232.233.39 54.225.66.153 98.84.61.58} and http.user_agent contains "Marblism-WordPress-Connector" and http.request.uri.path wildcard r"/wp-json/*")
β
[Screenshot: top half of the New custom rule form showing the 3 required conditions]
βUnder Then take actionβ¦, choose Skip as the action.
βIn WAF components to skip, tick all four of these:
β All remaining custom rules
β All managed rules
β All Super Bot Fight Mode Rules
β Browser Integrity Check (under "More components to skip" β click to expand)
β
Under Place at, select order: First.
[Screenshot: bottom half of the New custom rule form showing the skipped WAF components and rule order]
βClick Deploy at the bottom of the page. That's it. Your custom rule is now live.
β
β Verify the connection in Penny
Go back to Penny β Blog Posts β Accounts.
Open the WordPress connection (or click Connect WordPress if you haven't yet).
Enter your site URL, username, and application password and press Save connection.
You should see a green confirmation. If you do, you're done β you can now publish blog posts to WordPress straight from Penny.
π Still blocked?
If the error message still shows after deploying the rule, try these in order:
Wait a minute and retry. Cloudflare rule changes propagate quickly but not always instantly.
Confirm the rule is at the top. In Custom rules, your new rule should appear above any existing rules in the list. If something is above it, drag it up.
Disable Bot Fight Mode temporarily. Go to Security β Settings β Bot Fight Mode and turn it off (or lower its sensitivity). Try connecting again. If it works, you can re-enable Bot Fight Mode β your custom rule should keep Penny working. Please note that Cloudflareβs free version of bot fight mode cannot be skipped by custom security rules. You may wish to consider upgrading to Super Bot Fight Mode.
Check for other security plugins. Plugins like Wordfence run their own firewall inside WordPress. If Wordfence is also blocking us, you'll need to whitelist the same five IPs in Wordfence's settings (Wordfence β All Options β Whitelisted IP addresses).
Still stuck? Reach out to support with a screenshot of your custom rule and the error message you're seeing in Penny.
π‘ Why does Cloudflare block Penny by default?
Cloudflare protects sites by challenging traffic that "looks like a bot" β which includes any request from a cloud server (AWS, GCP, Azure). Penny runs on AWS, so Cloudflare blocks it the same way it would block a scraper.
The rule above tells Cloudflare: "requests from these specific IPs and User-Agent (Marblism) made to this specific path (/wp-json/, the WordPress API) are safe β let them through." Other bots are still blocked as normal.