If you go to the Scans section of the Shield Security Dashboard and try to run scans, you could get a warning message that scans are currently disabled because the site can't make HTTP requests to itself.

What does this mean and what can you do about it?

Each time you load the scans page, it'll try the HTTP request. The HTTP request is against your "home URL".


Shield has a check in the Scans section that highlights the scans wont work unless a site can make HTTP requests to itself.


If you don't know why your site can't make HTTP requests to itself, you may need to discuss this with your host. Check if they have a problem with loopback requests - ie. your site sending a web request to your own server.

If you also run the Shield Debug page and look under the Capabilities section, this might also point to an issue. On a normal working site, you'll see that loopback requests is working fine:

Another example is .htaccess rule that block access to a site except from certain IP address, in which case you'll need to whitelist your server IP. If your web host says that they need the IP address of our server to whitelist, please note that:


The error message about not being able to make HTTP requests to itself isn't about our servers and IP, it's about yours. Shield tries to make an HTTP request to itself - your own site. There's no reason your own server shouldn't be able to make a request to itself. So your host will probably want to know their own server IP, not ours..

Additionally, if you have a CloudFlare origin cert installed, it may happen that those are not viewed as valid by WordPress since they have no CA associated with them. In that case, best is to reach out their support, because you might need to purchase a valid cert and install it.