Imunify360 Blocks Royal MCP OAuth Discovery
If Claude fails to connect to your Royal MCP endpoint with a silent ofid_… error and your host runs CloudLinux’s Imunify360 bot-protection, Imunify360 is almost certainly intercepting /wp-json/* and /.well-known/* requests before WordPress ever sees them. The response body is a JSON denial served with an HTTP 200 status — a fingerprint distinct from the standard 429 UA-block behavior. Fix is host-side; no WordPress setting will resolve it.
Royal MCP connection issues that look host-specific are usually a plugin conflict, cache layer, or stale OAuth state — about 90% resolve in our 4-step basic checklist. If you haven’t run through that yet, do it first — this article assumes the basics are already ruled out.
Symptoms
You’re hitting this specific issue if all of the following are true:
The Telltale Signs
- Claude.ai (web) shows “Couldn’t reach the MCP server” or similar with an
ofid_…reference code, and the OAuth consent screen never appears - Royal MCP’s Activity Log (WP Admin → Royal MCP → Activity Log) stays completely empty for every attempted connection — the requests never reach WordPress
- Your hosting provider is a shared cPanel host running CloudLinux — common signals: LiteSpeed or openresty in
Server:header, cPanel login page at:2083, hosting provider mentions Imunify360 as a security feature - A
curlagainst your Royal MCP endpoint OR/.well-known/oauth-authorization-serverreturns HTTP 200 with a JSON body containing"Access denied by Imunify360 bot-protection"— not a 403, not a 429, not a plain 404
Imunify360 sits in front of WordPress at the web-server layer, so denied requests never reach PHP and never register in the plugin’s Activity Log. An empty log combined with a Claude connection failure isn’t proof of Imunify360 by itself — but combined with the curl fingerprint below, it’s conclusive.
How to Confirm It’s Imunify360
A 30-second curl test will leave no doubt. Run from any terminal — replace example.com with your actual domain:
Test your Royal MCP endpoint
curl -i https://example.com/wp-json/royal-mcp/v1/mcp
The diagnostic fingerprint is HTTP 200 (not 403, not 429) with this exact JSON body:
{"message":"Access denied by Imunify360 bot-protection. IPs used for automation should be whitelisted"}Confirm the OAuth discovery URL is also blocked
This is the first URL Claude fetches during connection setup:
curl -i https://example.com/.well-known/oauth-authorization-server
Same HTTP 200 + JSON denial pattern confirms Imunify360 is blocking the entire path prefix, not just the MCP endpoint.
Compare against a normal path (should succeed)
curl -I https://example.com/
Your site homepage should return HTTP 200 with normal WordPress output (no Imunify360 message). This proves the intercept is scoped to /wp-json/* and /.well-known/* paths — the rest of the site works normally.
It’s counterintuitive, but Imunify360 returns HTTP 200 with a JSON body describing the denial — not the HTTP 403 you’d expect for “access denied.” This is a design choice on Imunify360’s end (possibly to keep some scanners from flagging the denial as a hard block). It also means Royal MCP’s built-in Well_Known_Notice classifier needs an explicit signature to detect it — the fix landed in Royal MCP 1.4.36 (see “What Royal MCP already does for you” below).
The Fix — Ask Your Host to Whitelist Royal MCP Paths
Imunify360 lives at the hosting provider’s layer, not inside WordPress. The fix is a support ticket to your host asking them to add specific paths to the Imunify360 allowlist for your domain. Most hosts complete this in under 24 hours — it’s a routine change on their end.
Ready-to-paste hosting-provider request
Copy the text below into a support ticket with your hosting provider. Substitute example.com with your actual domain:
Subject: Please whitelist OAuth paths from Imunify360 for example.com Hi, We’re running the Royal MCP WordPress plugin on example.com, which lets AI assistants like Claude connect to our site via the Model Context Protocol (MCP). The connection requires OAuth 2.0 discovery and token endpoints to be accessible without bot-protection interference. Right now Imunify360 is intercepting every request to /wp-json/* and /.well-known/* with HTTP 200 and a JSON body: "Access denied by Imunify360 bot-protection. IPs used for automation should be whitelisted" Please add the following URL paths for example.com to the Imunify360 allowlist for our domain (or, equivalently, disable Imunify360 bot-protection for these specific paths): /wp-json/* /.well-known/* /authorize /token /register These are standard WordPress REST API + OAuth 2.0 (RFC 8414) endpoints. Whitelisting them will not reduce security — they are the plugin’s own authenticated endpoints and are subject to WordPress’s standard capability checks. Thanks in advance.
Claude.ai and Anthropic’s backend connect from constantly-rotating IP ranges. You can’t whitelist a fixed set of Anthropic IPs, so path-based allowlisting is the correct approach. Point your host at this article if they need convincing.
Alternative: cPanel Imunify360 UI (if your host gives you access)
Some cPanel hosts expose an Imunify360 admin UI directly to customers. If you have this, you can add the allowlist entries yourself:
- Log into cPanel
- Look for “Imunify360” or “ImunifyAV” in the Security section — typical labels are “Imunify360 Security Dashboard” or just “Imunify360”
- Navigate to Settings → General → “Ignore List” or “Whitelist URLs” (exact wording varies by cPanel version)
- Add each path pattern one at a time:
/wp-json/*,/.well-known/*,/authorize,/token,/register - Save. Changes typically take effect within 60 seconds — no server restart needed.
Not every host exposes this UI to customers — many keep Imunify360 admin-only. If you can’t find it, go straight to the support-ticket approach above.
Retry Claude connection
Once your host confirms the allowlist is in place (or you’ve added it yourself via cPanel), the fix is immediate:
- Re-run the curl test from the “How to Confirm” section above. You should now see the normal Royal MCP JSON-RPC response (or a proper OAuth metadata JSON for the
/.well-known/URL), not the Imunify360 denial. - In Claude, delete the existing Royal MCP connector if present, wait 30 seconds, then re-add it fresh. This forces the full OAuth flow from scratch rather than reusing cached failure state.
- Complete the authorize consent screen. Royal MCP’s Activity Log should now show entries the moment you click “Authorize.”
What NOT to Try (WordPress-Side Fixes Won’t Help)
Imunify360 runs at the web-server layer, ahead of PHP. That means the following common troubleshooting steps will NOT resolve this issue — don’t waste time on them:
- Changing plugin settings. No Royal MCP setting can affect requests that never reach PHP. Same for other security or cache plugins.
- Deactivating other plugins. If Imunify360 is the block, no combination of active/inactive WordPress plugins will change the outcome.
- Adding
.htaccessrewrite rules. Apache/LiteSpeed process.htaccessAFTER Imunify360 has already denied the request. Rules won’t fire. - Switching to a default theme. Themes only render pages that WordPress successfully processes — irrelevant here.
- Whitelisting IPs in WordPress security plugins. Those plugins don’t see the request either. Only Imunify360’s allowlist matters.
- Uninstalling & reinstalling Royal MCP. The plugin is fine — the problem is upstream of WordPress.
What Royal MCP 1.4.36 Already Does for You
Royal MCP 1.4.36 detects this exact failure mode automatically. When the plugin’s well-known-endpoint self-check sees an HTTP 200 + JSON body containing “Imunify360,” it surfaces a dismissible admin notice on the Plugins screen and Royal MCP settings linking back to this page.
So future customers on Imunify360 hosts will land here from inside their own WordPress admin instead of having to search for “Royal MCP can’t connect” and stumble across the diagnosis. The plugin can’t auto-fix the block for you — Imunify360 is upstream of WordPress and the customer’s hosting-provider allowlist is the only mechanism — but the notice makes the diagnosis fast.
Royal MCP’s well-known probe runs from the site to itself (a WordPress-loopback HTTP request). Some Imunify360 configurations whitelist loopback traffic and some don’t. If loopback is whitelisted but external traffic is blocked, our self-check will see a valid metadata response and NOT trigger the notice — even though Claude (external) still can’t connect. If you see this pattern, run the curl tests in the “How to Confirm” section above from EXTERNAL to your site — those are the definitive diagnostic.
Still Stuck? Two Support Paths
If your host completed the allowlist and Claude still can’t connect:
Community Support (free) — wp.org Plugin Forum
Post a new thread at wordpress.org/support/plugin/royal-mcp/. Include the diagnostic info listed below in your post.
Premium Support (paid) — direct one-on-one help
For priority response (24-hour SLA) and hands-on diagnostic help, our Premium Support tier is $149/year.
Information to include in your post or ticket
- Full curl output for
/wp-json/royal-mcp/v1/mcpand/.well-known/oauth-authorization-serverBEFORE and AFTER your host applied the allowlist (usecurl -i, not just-I, so we see the body) - Your hosting provider (SiteGround, Bluehost, HostGator, Namecheap, etc.) — helps us cross-reference known-good allowlist patterns for that host
- Confirmation your host completed the allowlist (paste any confirmation email they sent)
- Royal MCP version from WP Admin → Plugins
- Whether the Activity Log now shows entries during a failed attempt (any entry means the request reached WordPress — different diagnosis)