Fix: The WordPress REST API

The WordPress REST API is the best way to access or modify WordPress data asynchronously without slowing down your site or your admin. You can expect the whole WordPress admin to use it someday (and you will love it when it is). If you are worried about the security of the REST API, check the end of this article. If you get an error related to the REST API, it might be two things : it’s either that the WordPress REST API is not enabled, or that one of the requests to it was rejected or failed.

This article is being improved based on my users’ feedback. I will improve this troubleshooting little by little, so don’t hesitate to share your issues or your findings in the comments. Thank you :)

Is the WordPress REST API enabled?

The best way to check is to visit this URL: https://yoursite.com/wp-json. If you see some information which seems related to your WordPress REST API, it works. If you see something, it means that, at least, your WordPress REST API is enabled. Otherwise, that’s not working, and you will need to understand why.

If you are using one of my plugins (Meow Apps), don’t expect to see any information about it. My plugins only load their code when they are being used, for optimization purposes (and let’s say, additional security too!).

Enable Permalinks

Visit your Settings > Permalinks. Make sure Plain is not selected. Usually, Post Name is the best choice. Even if everything is fine, click on Save Changes. That will rewrite/repair your .htaccess.

Security Plugins

Are you using a security plugin? They might block the REST API. Make sure it doesn’t. Known plugins to do that are :

  • WP Cerber Security
  • WPS Bidouille
  • Plugin Organizer

Modified .htaccess

It is possible that you or your system administrator modified the .htaccess to add a Content Security Policy. I have to admit, I am not very acquainted with this, but please be aware that customized .htaccess can be restricting many requests to your site.

Check your code

Certain lines of code can be written to disable the REST API. If you find those, simply delete them.

add_filter('rest_enabled', '_return_false');
add_filter('rest_jsonp_enabled', '_return_false');

The REST API is enabled, but it breaks, or the reply is broken?

The reply might be broken. That means either an error has happened on the server side, or that the server rejected that request.

  • To knows if it’s an error, check this: The PHP Error Logs.
  • To know if it’s a network/server issue (rejected or timed out request), check this: Check Network Activity with Google Chrome. It’s usually a good idea to talk with your hosting service in this case, as the might be able to help you and share with you more information.

Keep in mind that the error might be directly related to the plugin you are having a problem with. Any other plugin can interfere and break the request.

Is the WordPress REST API secure?

Like any software, it can’t be perfect. But generally, it is very secure, and constantly checked by security professionals for new vulnerabilities. In fact, when plugins (or new WordPress features) are built, developers have the choice of using the REST API or implement their own way to access the data. And you guessed it, the latter it much less secure.

Basically, do you prefer to have one hundred slightly hidden doors to access your house, or one big and obvious metal door covered with security cameras and alarm systems on it? Enable the REST API, make sure developers are using it to create new features, and believe me, you will sleep better at night :)