How to Enable the WordPress REST API (And Fix It When It’s Broken)

👁 13 views

What Is the WordPress REST API?

The WordPress REST API is a built-in interface that lets you interact with your WordPress site using HTTP requests. It exposes your site’s data — posts, pages, users, media, settings — as JSON, making it possible for external apps, headless frontends, and automation tools to read and write content without touching the database directly.

If you’re building a custom dashboard, automating content workflows, or integrating WordPress with third-party services, the REST API is how you get it done. The good news: it’s already enabled by default on every modern WordPress installation. But there are a few reasons it might not be working — and several ways to extend and secure it for production use.

Is the WordPress REST API Enabled by Default?

Yes — since WordPress 4.7, the REST API ships enabled out of the box. You can verify this immediately by visiting:

https://yoursite.com/wp-json/

If you see a JSON response listing routes, you’re good. If you get a 404 or an error, keep reading — something is blocking it.

Why the WordPress REST API Might Be Disabled

Even though the REST API is on by default, several things can break or disable it:

A security plugin — Plugins like Wordfence, iThemes Security, or Disable REST API can restrict access, sometimes too aggressively.
Custom code in functions.php — Some themes or snippets add remove_action('rest_api_init', ...) or return errors for unauthenticated requests.
Permalink settings — The REST API relies on pretty permalinks. If you’re using plain permalinks (?p=123 style), the /wp-json/ endpoint won’t resolve correctly.
Server-level blocks — Nginx or Apache rules can block requests to certain paths, including /wp-json/.
Hosting restrictions — Some shared hosts block REST API access by default or require authentication for all endpoints.

How to Enable (or Re-Enable) the WordPress REST API

Step 1: Check Your Permalink Settings

Go to Settings → Permalinks in your WordPress admin. Make sure you’re using any option other than “Plain.” Post name (/sample-post/) is the recommended choice. Save your settings — this flushes rewrite rules and often resolves 404s on /wp-json/.

Step 2: Check for Plugins Disabling the REST API

Search your active plugins for anything related to security or REST API restrictions. Temporarily deactivate them one at a time and test the /wp-json/ endpoint after each deactivation to find the culprit.

If you’re using iThemes Security, look under Security → Settings → WordPress Tweaks and check whether “REST API Access” is set to “Restricted.” Change it to “Default Access.”

Step 3: Remove Blocking Code in functions.php

If a previous developer added code to disable the REST API, you’ll need to find and remove it. Search your theme’s functions.php for:

add_filter('rest_authentication_errors', ...)
add_filter('rest_enabled', ...)
remove_action('rest_api_init', ...)

Any filter that returns a WP_Error for unauthenticated requests will block public endpoints. Remove or adjust as needed.

Step 4: Fix Server-Level Blocks

For Nginx, check your site config for rules that might block /wp-json/. A common issue is overly broad location blocks that deny access to paths not explicitly allowed. Make sure this location is handled:

location /wp-json/ {
    try_files $uri $uri/ /index.php?$args;
}

For Apache, ensure mod_rewrite is enabled and your .htaccess file contains the standard WordPress rewrite rules.

Authenticating REST API Requests

Public endpoints (like reading published posts) work without authentication. But write operations — creating posts, updating settings, managing users — require auth. WordPress supports several methods:

Application Passwords (built-in since WP 5.6) — Generate a token under Users → Profile → Application Passwords. Use it with Basic Auth in your requests.
Cookie authentication — Used by the WordPress admin UI itself; requires a nonce and only works from the same origin.
OAuth 1.0a — Available via third-party plugins; more secure for production integrations.
JWT tokens — A popular approach using plugins like JWT Authentication for WP REST API.

For server-to-server automation (like running scripts or connecting external tools), Application Passwords are the easiest path. Here’s an example request using curl:

curl -X GET https://yoursite.com/wp-json/wp/v2/posts   -u "username:application_password"

Extending the REST API with Custom Endpoints

Once the REST API is running, you can register your own endpoints to expose or accept custom data. This is how WordPress tools like MCP (Model Context Protocol) integrations work — they register routes that allow AI agents, automation scripts, and external services to interact with WordPress in structured ways.

add_action('rest_api_init', function() {
    register_rest_route('myplugin/v1', '/data', [
        'methods'  => 'GET',
        'callback' => 'myplugin_get_data',
        'permission_callback' => '__return_true',
    ]);
});

Custom routes follow the same authentication and namespace conventions as core routes. You can scope permissions tightly — requiring specific user roles or capabilities — using the permission_callback.

Using the REST API for WordPress Automation

The REST API is the foundation of modern WordPress automation. Here’s what it unlocks:

Headless WordPress — Decouple your front end entirely and serve content via Next.js, Nuxt, or any framework that can fetch JSON.
Content pipelines — Automate post creation, update metadata, manage media libraries programmatically.
Multi-site management — Control multiple WordPress installs from a single dashboard or script.
AI integrations — Connect WordPress to LLMs and AI agents using tools like Master Control Press, which exposes WordPress management actions through the Model Context Protocol over the REST API.
Zapier/Make workflows — Trigger WordPress actions from external events (form submissions, CRM updates, e-commerce orders).

Securing the REST API Without Breaking It

A common mistake is disabling the REST API entirely for “security.” This breaks the block editor, plugin functionality, and any integrations you’ve built. Instead, take a targeted approach:

Require authentication for sensitive endpoints — Use permission_callback to gate write access properly.
Rate-limit API requests — Use a WAF or Nginx rate limiting to prevent abuse.
Disable user enumeration — The /wp/v2/users endpoint exposes usernames publicly by default. Restrict it if you’re not using it.
Use HTTPS everywhere — All API traffic should be encrypted. No exceptions.

Testing the REST API

A few quick ways to confirm your REST API is working as expected:

Browser — Visit https://yoursite.com/wp-json/wp/v2/posts and look for JSON output.
curl — curl -s https://yoursite.com/wp-json/ | python3 -m json.tool
Postman or Insomnia — GUI tools for testing authenticated requests.
WP-CLI — wp rest-api get /wp/v2/posts tests the API from the command line.

The Bottom Line

The WordPress REST API is already running on your site — the question is whether something is getting in the way. Check your permalinks, scan for restrictive plugins, and review any custom code that might be returning errors for unauthenticated requests. Once it’s confirmed working, you have a powerful interface for automation, headless builds, and external integrations.

If you’re looking to take WordPress automation further — connecting your site to AI agents, managing content programmatically, or building multi-site workflows — check out Master Control Press. It’s built on top of the REST API and extends it with Model Context Protocol support, making your WordPress site controllable from any MCP-compatible client.