The WordPress REST API is the best way to access or modify WordPress data asynchronously without slowing down your site or your admin. You can expect the whole WordPress admin to use it someday (and you will love it when it is).
If you are worried about the security of the REST API, check the end of this article.
If you get an error related to the REST API, it might be two things : it’s either that the WordPress REST API is not enabled, or that the asynchronous request to the REST API was either rejected or failed.
This article will be improved based on your experience. Please don’t hesitate to share your issues and solutions in the comments. Thank you! ☺️
Is the WordPress REST API enabled?
The best way to check is to visit this URL: https://yoursite.com/wp-json. If you see some information which seems related to your WordPress REST API, it works. If you see something, it means that, at least, your WordPress REST API is enabled. Otherwise, that’s not working, and you will need to understand why.
If you are using one of my plugins (Meow Apps), don’t expect to see any information about it. My plugins only load their code when they are being used, for optimization purposes (and let’s say, additional security too!).
Visit your Settings > Permalinks. Make sure Plain is not selected. Usually, Post Name is the best choice. Even if everything is fine, click on Save Changes. That will rewrite/repair your .htaccess.
They might block the REST API. Make sure it doesn’t, by disabling it temporarily. Known plugins to cause issues are:
- WP Cerber Security
- WPS Bidouille
- Plugin Organizer
Services like Cloudflare don’t cause any issues.
Many of my users had an issue with W3 Total Cache. If you use it, try to to clear your Object Cache in the Settings. Also, avoid caching anything related to the REST API; the requests to it aren’t meant to be cached, most of the time.
It is possible that you or your system administrator modified the .htaccess to add a Content Security Policy. I have to admit, I am not very acquainted with this, but please be aware that customized .htaccess can actually restrict many requests to your site. Make sure it doesn’t.
Check your code
Certain lines of code can be written to disable the REST API. If you find those, simply delete them.
add_filter('rest_enabled', '_return_false'); add_filter('rest_jsonp_enabled', '_return_false');
The REST API is enabled, but it breaks (broken reply)
It means that either an error has happened on the server side, or that the server rejected that request.
- To knows if it’s an error, check this: The PHP Error Logs.
- To know if it’s a network/server issue (rejected or timed out request), check this: Check Network Activity with Google Chrome. It’s usually a good idea to talk with your hosting service in this case, as the might be able to help you and share with you more information.
Keep in mind that the error might be directly related to the plugin you are having a problem with. Any other plugin can interfere and break the request.
Is the WordPress REST API secure?
Like any software, it can’t be perfect. But generally, it is very secure, and constantly checked by security professionals for new vulnerabilities. In fact, when plugins (or new WordPress features) are built, developers have the choice of using the REST API or implement their own way to access the data. And you guessed it, the latter it much less secure.
Basically, do you prefer to have one hundred slightly hidden doors to access your house, or one big and obvious metal door covered with security cameras and alarm systems on it? Enable the REST API, make sure developers are using it to create new features, and believe me, you will sleep better at night 🙂