You’re right — this looks like anti-bot protection from your WordPress hosting provider. The response you’re seeing suggests that JavaScript needs to be executed and cookies set before the API can be accessed — a common protection against automated requests like those from Postman or curl.

If you can’t disable this protection on your hosting, I’d recommend trying my project — wordpress_puppet_api. It uses Puppeteer, a headless browser, to mimic real user behavior, including running JavaScript and handling cookies. This way, you can bypass these restrictions and still automate your WordPress content posting without needing premium API access or changing your hosting provider.

Let me know if you hit any snags — happy to help! 🚀