Credential toggle: “Include Credentials in Query” = ON
What I tested:
Browser test with same consumer_key/consumer_secret
as URL params = 200 OK, returns valid JSON
n8n credential test = 403 Forbidden
“perhaps check your credentials”
What I’ve already tried:
Generated brand new WooCommerce API keys
Confirmed Read/Write permissions on the key
Toggle “Include Credentials in Query” ON
Bluehost disabled ModSecurity server-side
Added SetEnvIf Authorization header to .htaccess
Still failing after all of the above.
Question: Is there a known IP range for n8n cloud
that needs to be whitelisted on the hosting server?
Or is there another connection method to bypass
server-level firewall blocks on Bluehost shared hosting?
Your 403 error is almost certainly a server-side firewall block, not a credential issue (since your browser test works fine). Provide Bluehost with the n8n Cloud outbound IPs to whitelist: [Cloud IP addresses]
Also check: Security/SSL plugins (e.g. “Really Simple SSL”) on your WordPress site can block n8n requests — disabling them has resolved similar issues for other users.
If Bluehost won’t whitelist the IPs, they’re probably blocking n8n’s default axios User-Agent. Swap the official WooCommerce node for an HTTP Request node. Set up your GET request, use Basic Auth for your credentials, and add a Header named User-Agent with a standard browser string like this: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
The IP whitelist approach from @A_A4 is the right fix — just wanted to add a few more things that might help get this unstuck faster on Bluehost shared hosting specifically.
Why this happens on shared hosting
Bluehost (and most shared/managed WordPress hosts) runs ModSecurity or a similar WAF that automatically blocks requests from cloud datacenter IP ranges. The 403 you’re seeing is almost certainly from the WAF, not WooCommerce itself — WooCommerce would return a 401 for bad credentials, not a 403. The fact that your browser works confirms the credentials are valid; the issue is where the request is coming from.
Exact steps for Bluehost
Log into your Bluehost cPanel
Go to Security → IP Blocker (check if your n8n cloud IPs got auto-blocked here first and unblock them)
Then contact Bluehost support and ask them to whitelist the n8n Cloud IP ranges at the ModSecurity/server firewall level — specifically mention you’re getting 403s from an automation tool and need those IP ranges allowed for your domain
The IPs from A_A4’s response are correct — you’ll want to pass all of them to support.
Alternative if IP whitelisting doesn’t work
If Bluehost support can’t/won’t whitelist at the firewall level, you have a few options:
Set WC_API_DISABLE to false and ensure WooCommerce’s REST API is enabled in WooCommerce → Settings → Advanced → REST API
Try using the WooCommerce node in n8n with the Query Auth option instead of Header Auth — some shared hosting WAFs treat query param auth differently
Consider routing your n8n workflow through a proxy on your own server that forwards to WooCommerce (more complex but works around any IP blocking)
Also double-check that your consumer key starts with ck_ and consumer secret starts with cs_ — if you copy-pasted and accidentally got spaces or line breaks, that can also cause a 403 on some hosts.
IP whitelisting wont really work here because n8n cloud rotates through like 20+ IPs and Bluehost only lets you whitelist 3 in cPanel. Try using an HTTP Request node instead of the WooCommerce node, hit the WooCommerce REST API directly and set the User-Agent header to something like Mozilla/5.0 so the WAF doesnt flag it as a bot request
These IPs can change without warning.