What Is the WordPress REST API Error?
The WordPress REST API is a system that allows external applications to communicate with your WordPress site via HTTP requests. REST API errors appear when this communication fails, usually showing messages like:
- “404 rest_no_route”
- “rest_forbidden: Sorry, you are not allowed to do this”
- “The REST request has been blocked for security reasons”
- “CORS error: Access-Control-Allow-Origin header missing”
These errors typically appear when:
- Mobile apps try to connect to your WordPress site
- JavaScript tools on your site attempt API calls
- Third-party integrations (like automation services) connect to WordPress
- The Gutenberg editor can’t save posts
- WooCommerce REST API calls fail
REST API errors don’t necessarily mean your site is down—the site loads fine. But any feature relying on API communication stops working.
Common Causes of REST API Errors
- Permalink structure misconfigured — REST routes can’t be generated properly
- Plugins blocking REST API — Security or performance plugins disable it
- Incorrect file permissions — WordPress can’t write necessary routing files
- Plugin or theme conflict — Code interferes with REST API functionality
- Outdated WordPress version — REST API issues in older WordPress versions
- CORS headers missing — Cross-origin requests are blocked
- Authentication issues — Insufficient user permissions for API access
- Server configuration — mod_rewrite disabled or reverse proxy misconfigured
Solution 1: Reset Permalinks
REST API relies on WordPress’s URL rewrite system. Corrupted rewrite rules break REST API routes.
- Log in to WordPress admin
- Go to Settings → Permalinks
- Click on “Plain” temporarily
- Click “Save Changes”
- Now select “Post name” (or your preferred structure)
- Click “Save Changes” again
- Test REST API access
Why this works: WordPress regenerates all rewrite rules when you save permalink settings. This fixes 70% of REST API 404 errors.
Test if REST API works:
Visit yoursite.com/wp-json/wp/v2/posts in your browser. You should see JSON data.
Solution 2: Check .htaccess File
If resetting permalinks doesn’t work, .htaccess might be preventing REST API requests.
Via FTP:
- Download
.htaccessfrom your WordPress root - Verify it contains WordPress rewrite rules (look for
RewriteRule . /index.php [L]) - If corrupted or missing, delete it and recreate:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
- Save and test REST API again
Test REST API:
curl -X GET https://yoursite.com/wp-json/wp/v2/posts
If it returns JSON data, REST API is working.
Solution 3: Disable Security Plugins Temporarily
Security plugins often block REST API by default, preventing legitimate API access.
Via WordPress admin:
- Go to Plugins → Installed Plugins
- Deactivate security plugins (Wordfence, iThemes Security, Sucuri, etc.)
- Test REST API
Via FTP (if wp-admin is blocked):
- Navigate to
/wp-content/plugins/ - Rename security plugin folder to disable it
- Test REST API
If REST API works after disabling security plugins:
Re-enable the plugin and configure it to whitelist REST API:
For Wordfence:
- Go to Wordfence → Firewall → Advanced Settings
- Find “Completely unblock the REST API”
- Enable it
For other plugins: Look for REST API, API, or whitelist settings.
Solution 4: Check User Permissions
REST API requests need proper authentication. Users without sufficient permissions get blocked.
For authenticated requests:
- Go to Users → Edit your admin user
- Ensure role is “Administrator” with full capabilities
- Test API call with authentication
For public REST endpoints:
Some endpoints should work without authentication. If they return 403 (forbidden):
- Go to Settings → Permalink
- Save changes to flush rewrite rules
- Try again
Test public REST API:
curl -X GET https://yoursite.com/wp-json/wp/v2/posts?per_page=1
This should return at least basic post data even without authentication.
Solution 5: Disable All Plugins and Test
A plugin might be interfering with REST API functionality.
Via WordPress:
- Go to Plugins → Installed Plugins
- Deactivate all plugins
- Test REST API:
yoursite.com/wp-json/wp/v2/posts - If it works, reactivate plugins one by one to find the culprit
Via FTP:
- Rename
/wp-content/plugins/to/wp-content/plugins-disabled/ - Create new empty
/wp-content/plugins/folder - Test REST API
- Move plugins back one by one to identify the problematic one
Common plugin culprits:
- Caching plugins (check REST API whitelist settings)
- API limitation plugins
- Custom plugin blocking certain endpoints
Solution 6: Check Nginx REST API Configuration
If your server runs Nginx (not Apache), REST API needs specific configuration.
Add this to your Nginx server block:
location /wp-json {
try_files $uri $uri/ /index.php?rest_route=$request_uri;
}
Reload Nginx:
sudo systemctl reload nginx
Contact your hosting provider if you can’t access Nginx configuration.
Solution 7: Enable Gutenberg REST API Availability
Some security configurations disable REST API for Gutenberg editor, preventing post saving.
Add to wp-config.php:
define('REST_REQUEST', true);
define('REST_API_ENABLED', true);
Or add to theme’s functions.php:
// Enable REST API
add_filter('rest_authentication_errors', function($result) {
if (true === $result || is_wp_error($result)) {
return $result;
}
if (!isset($_SERVER['PHP_AUTH_USER'])) {
return $result;
}
return apply_filters('rest_authentication_errors', null);
});
Solution 8: Fix CORS Headers for Cross-Origin Requests
If REST API calls come from a different domain, CORS (Cross-Origin Resource Sharing) headers might be missing.
Add to .htaccess:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
</IfModule>
Or add to theme’s functions.php:
add_action('rest_api_init', function() {
remove_filter('rest_pre_serve_request', 'rest_send_cors_headers');
add_filter('rest_pre_serve_request', function($value) {
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization');
return $value;
});
}, 15);
Test with external API tools after applying CORS headers.
Solution 9: Check WordPress REST API Is Enabled
Older WordPress versions required manual REST API enablement. Verify it’s active:
Check via wp-cli:
wp rest-api cache-config
Check via code:
Add to functions.php temporarily:
add_action('rest_api_init', function() {
error_log('REST API is active');
});
Check debug.log for the message.
Enable REST API manually (if needed):
Add to wp-config.php:
define('REST_API_ENABLED', true);
Solution 10: Update WordPress, Themes, and Plugins
REST API bugs in older versions are fixed in updates. Keeping everything current prevents most issues.
Update WordPress:
- Go to Dashboard → Updates
- Click “Update Now”
Update plugins and themes:
- Check for updates automatically
- Test REST API after each major update
Check required WordPress version for plugins:
Some plugins require WordPress 5.7+ for REST API support. Ensure compatibility.
Solution 11: Check Server Error Logs
Server logs reveal exactly why REST API calls are failing.
Via cPanel:
- Log in to cPanel
- Find “Errors” under “Metrics”
- Look for entries matching REST API request times
- Check for 404, 403, or 502 errors
Via FTP:
Check these files:
/public_html/error_log/home/username/logs/error_log
Look for patterns like “POST /wp-json/wp/v2/posts 403” indicating REST API blocks.
Solution 12: Test REST API with Tools
Use tools to diagnose REST API functionality:
Via cURL:
# Test public REST API
curl -X GET https://yoursite.com/wp-json/wp/v2/posts
# Test authenticated REST API
curl -X GET https://yoursite.com/wp-json/wp/v2/users/me \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
# Test with basic auth
curl -X GET https://yoursite.com/wp-json/wp/v2/users/me \
-u username:password
Via REST Client (VS Code extension):
Create a .http or .rest file:
GET https://yoursite.com/wp-json/wp/v2/posts HTTP/1.1
Authorization: Basic base64_encoded_credentials
If these tools return JSON data, REST API is functional.
Prevention Tips
- Keep REST API enabled (it powers Gutenberg editor)
- Test REST API calls on staging before production
- Whitelist REST API in security plugins, don’t block it
- Monitor WordPress version compatibility with plugins
- Document any custom REST routes you create
- Use authentication tokens (JWT) instead of basic auth for security
- Test cross-origin requests with correct CORS headers
- Keep permalinks set to “Post name” (REST API needs rewrite rules)
From experience: I once spent an afternoon debugging a custom mobile app that couldn’t connect to a WordPress site. The REST API was perfectly functional—the issue was missing CORS headers because the mobile app’s domain didn’t match the WordPress site domain. One line of code in .htaccess fixed it completely.
Related: REST API issues sometimes overlap with other WordPress errors. Check How to Fix WordPress 403 Forbidden Error or How to Fix WordPress 404 Page Not Found Error if permission or routing issues persist.
Conclusion
WordPress REST API errors usually come from disrupted URL rewrite rules or overly aggressive security plugins. The fastest fix is resetting permalinks to regenerate rewrite rules, which solves about 70% of cases. After that, it’s a matter of checking for plugin conflicts or CORS header issues. Understanding that REST API is critical for the Gutenberg editor means you should prioritize fixing these errors quickly to prevent editor breakage and integration problems.