Fix REST API Error in WordPress

You’re trying to save a post in Gutenberg and it throws “Publishing failed” or “Updating failed.” Or a plugin settings page loads blank. You check the browser console and see 401 Unauthorized or 403 Forbidden responses hitting /wp-json/. The WordPress REST API is being blocked, and half your admin panel depends on it.

What Causes REST API Error?

Security plugin blocking REST API requests — plugins like Wordfence, iThemes Security, or All In One WP Security often restrict REST API access to logged-in users or block it entirely. This is the #1 cause I see in client audits.
Server-level mod_security or WAF rules — your hosting provider’s firewall is intercepting REST API requests and returning 401/403 before WordPress even processes them.
Broken.htaccess or permalink structure — corrupted rewrite rules prevent /wp-json/ routes from resolving correctly.
Authentication cookie issues — expired nonces, domain/cookie mismatch on multisite, or a caching plugin serving stale nonces to logged-in users.
REST API disabled by code — a theme or plugin is calling add_filter('rest_authentication_errors',...) and returning a WP_Error for all unauthenticated requests.

How to Fix It

Step 1: Confirm the REST API Is Actually Blocked

Open your browser and hit this URL directly while logged into WordPress:

https://yourdomain.com/wp-json/wp/v2/posts

If you get a JSON response with post data, the API works. If you get a 401/403 or an HTML error page, the API is blocked.

Next, check Tools → Site Health → Info → WordPress and look for the REST API status. Also run this via WP-CLI:

wp rest api check

If that command isn’t available, test with curl from your server:

curl -I https://yourdomain.com/wp-json/

A 200 OK means the API endpoint is reachable. A 401 or 403 confirms the block.

Step 2: Disable Security Plugin REST API Restrictions

The right way to do this: check your security plugin settings first before ripping anything out.

Wordfence: Go to Wordfence → Firewall → Advanced Options and check “Allowlisted REST API routes.” Make sure /wp-json/ isn’t being blocked.

iThemes Security: Navigate to Security → Settings → WordPress Tweaks and ensure “REST API” is set to Default Access — not “Restricted.”

If you can’t access the admin panel, disable the plugin via WP-CLI or FTP:

wp plugin deactivate wordfence

Or rename the plugin folder:

mv wp-content/plugins/wordfence wp-content/plugins/wordfence.disabled

Reload and test the REST API. If it works, you found your culprit. Re-enable the plugin and adjust its settings instead of leaving it disabled.

Step 3: Check.htaccess and Flush Permalinks

A corrupted .htaccess file can break REST API routing. SSH into your server and check:

cat.htaccess

The standard WordPress block should look like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule. /index.php [L]
</IfModule>
# END WordPress

If it’s mangled or missing, replace it. Then flush permalinks:

wp rewrite flush

Or go to Settings → Permalinks and click Save Changes without changing anything. This regenerates the rewrite rules.

Step 4: Check for Code-Level REST API Blocks

Some themes and plugins disable the REST API entirely. Search your codebase:

grep -r "rest_authentication_errors" wp-content/themes/ wp-content/plugins/

Also check for this common snippet that blocks unauthenticated REST access:

grep -r "rest_cannot_access" wp-content/

If you find a filter returning a WP_Error on rest_authentication_errors, remove it or wrap it in a condition that allows authenticated admin requests through.

Step 5: Rule Out Server-Level Blocking

If none of the above fixes it, the block is happening at the server level. Add this to your .htaccess before the WordPress block:

<IfModule mod_rewrite.c>
RewriteRule ^wp-json/ index.php [L]
</IfModule>

For Nginx servers, make sure your config includes:

location /wp-json/ {
 try_files $uri $uri/ /index.php?$args;
}

Contact your hosting provider and ask them to whitelist /wp-json/ in their WAF and mod_security rules. If you’re on shared hosting, this is more common than you’d think — SiteGround, Kinsta, and WP Engine handle this well, but budget hosts often have aggressive rulesets.

If the REST API works for logged-out requests but fails for logged-in users, you have a nonce or cookie problem. Add this to wp-config.php to debug:

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);

Check wp-content/debug.log for nonce verification failures. Common fixes:

Clear your page cache and object cache: wp cache flush
Ensure your WordPress Address and Site Address in Settings → General match exactly (no http/https mismatch)
If using a CDN, exclude /wp-admin/ and /wp-json/ from caching

Prevention

Audit security plugin settings after every update. Security plugins love to add new restrictive defaults silently. Check REST API access settings after each plugin update.
Never disable the REST API entirely. Skip this if you want headaches later. Gutenberg, Site Health, and most modern plugins depend on it. Restricting public access is fine; blocking it for authenticated users breaks everything.
Add REST API monitoring to your Site Health checks. Use WP-CLI in a cron job: wp rest api check — pipe failures to your monitoring.
Keep a known-good.htaccess backup. Store a copy in your deployment repo or backup system. When things break, you can restore it in seconds instead of debugging from scratch.

Last verified: April 2026

Symptoms