Q: There seems to be an issue with API calls to a WordPress site hosted on Site Ground, when the API sends a requests, the inbound content appears to be blocked, we are not running any paid firewall or WAF on SiteGround is Siteground possbiliy blocking?

A: Yes, SiteGround can still be blocking your inbound API calls even if you are not paying for any firewall or WAF add‑on. Their shared hosting stack includes built‑in security layers (including ModSecurity rules and WordPress‑specific protections) that can silently block or filter requests.reddit+2

Why SiteGround might be blocking
Even without a paid WAF, SiteGround has:

Server‑level ModSecurity rules that can block specific HTTP methods, payload patterns, or request rates and return 403/406/500‑type errors.siteground+2

A WordPress Security/Optimizer plugin (SiteGround Security / Security Optimizer) that can disable XML‑RPC and tighten REST API behavior by default, impacting remote publishing and some integrations.siteground+1

Visit/abuse controls and rate limiting that may block high‑volume or automated REST API traffic, even when requests are otherwise valid.mainwp+1

In practice, other services have reported that “normal‑looking” REST API calls from external services were blocked until they changed headers like the User‑Agent or adjusted how requests were sent.[reddit]​

What to check on the WordPress/SiteGround side
Do these checks on the affected site:

In WordPress, check if the SiteGround Security / Optimizer plugin is installed and whether it is disabling XML‑RPC or tightening REST API access.siteground+1

Confirm that /wp-json/ endpoints are reachable directly from a browser or curl (try GET on /wp-json/wp/v2/posts). If browser works but your integration fails, the issue is likely method, payload, or header specific.wordpress+1

Try calling https://yoursite.com/xmlrpc.php in a browser; if it’s blocked or redirected, but your integration relies on XML‑RPC, that’s a problem.wpcodebox+2

What to try from the API client side
Based on similar cases with SiteGround‑hosted WordPress sites:

Adjust the User‑Agent header to look like a standard browser or well‑known client; some patterns have triggered their firewall.[reddit]​

Reduce concurrent requests and add retry/backoff in case you are tripping rate‑limit or abuse rules.[reddit]​

Test with simple GET and POST requests with minimal JSON bodies to see what specifically triggers blocking; note when it changes from 200 to 403/406.cpanel+1

When you should contact SiteGround
If you can reproduce:

A specific endpoint, method, and payload that fails from your service but works from other environments; or

Consistent 403/blocked responses with no plugin firewall active,

open a ticket with SiteGround support and provide:

Exact URL, HTTP method, and headers (minus secrets).

Timestamp and your source IP(s).

A note that you suspect ModSecurity or internal WAF is blocking valid REST/XML‑RPC calls and ask if they can whitelist your pattern or IP.siteground+2

They can often confirm from server logs whether their security layer blocked the request, even if you are not using any paid firewall features.siteground+1

To narrow this down quickly, what HTTP status code and error body (if any) are you seeing from your API calls into the SiteGround‑hosted WordPress site?

liquidlayer.net

Cloud Web Hosting Services by LiquidLayer.net
LiquidLayer.net offers premium web hosting, SSD, Cloud Hosting, VPS & dedicated server solutions with 24/7 support & Mission Critical Uptime