👁 9 views
What Is the WordPress REST API?
The WordPress REST API is a built-in interface that lets external applications communicate with your WordPress site using standard HTTP requests. It was introduced in WordPress 4.7 and is enabled by default on all modern installations — but certain server configurations, security plugins, and misconfigurations can break or disable it without obvious error messages.
The REST API is the backbone of everything from the Gutenberg block editor to headless WordPress setups to automation tools like Master Control Press. If the REST API is disabled or restricted, your ability to manage WordPress programmatically grinds to a halt.
How to Check if the WordPress REST API Is Enabled
Before you troubleshoot, verify the current state of your REST API. The fastest way is to visit this URL in a browser or run a curl command:
https://yoursite.com/wp-json/wp/v2/postsIf the REST API is working, you will see a JSON response containing your posts. If it returns a 404, an empty response, or an authentication error, something is blocking it.
You can also test it via curl:
curl -I https://yoursite.com/wp-json/wp/v2/postsA 200 OK response means the API is accessible. Anything else means you have work to do.
5 Reasons the WordPress REST API Gets Disabled (and How to Fix Each)
1. A Security Plugin Is Blocking It
This is the most common cause. Plugins like Wordfence, iThemes Security, Disable REST API, and WP Cerber all have options to restrict or completely disable REST API access for unauthenticated users.
Fix: Check each active security plugin’s settings. Look for sections labeled “REST API” or “API Access.” Wordfence has this under Firewall > All Firewall Options. iThemes Security has a specific “Disable REST API” toggle. The plugin called “Disable REST API” does exactly what it says — deactivate it or configure exceptions for the routes you need.
If you need to allow REST API access only for authenticated users, that is a reasonable middle ground. But outright disabling it will break Gutenberg and any automation tool connected to your site.
2. The rest_authentication_errors Filter Is Returning an Error
Some plugins and custom code hook into rest_authentication_errors to block unauthenticated REST API requests. This is sometimes added with good intentions but ends up blocking legitimate use cases.
Fix: Add temporary debug code in your theme’s functions.php to see what is happening:
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
error_log( 'REST auth blocked: ' . print_r( $result, true ) );
}
return $result;
} );Check your debug.log after testing a REST API call. The log entry will reveal which plugin or code path is returning the error.
3. Permalink Structure Is Not Set
The WordPress REST API relies on pretty permalinks. If your permalink structure is set to “Plain” (using ?p=123 URLs), the /wp-json/ endpoint will not work correctly.
Fix: Go to Settings > Permalinks and select any option other than Plain. “Post name” is the most common and recommended setting. Save the changes — WordPress will automatically update the .htaccess rewrite rules.
4. The .htaccess File Is Missing Rewrite Rules
Even with pretty permalinks configured in the WordPress dashboard, if the .htaccess file is missing or incorrect, REST API routes may return 404 errors.
Fix: First, try the simple route — go to Settings > Permalinks and click Save Changes. WordPress will attempt to rewrite the .htaccess file automatically.
If WordPress cannot write to .htaccess due to file permissions, add the rules manually. Your .htaccess should contain:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress5. A Hosting Firewall Is Blocking JSON Responses
Some shared hosting providers run server-level Web Application Firewalls (WAF) that flag REST API requests as suspicious traffic. This is increasingly common on budget shared hosts.
Fix: Contact your host and ask them to whitelist REST API requests for your domain, or specifically allow requests to /wp-json/. Better yet, if your automation tool uses application passwords or OAuth, ensure the host’s firewall is not blocking authenticated API calls.
How to Enable the REST API Programmatically
If a plugin has restricted API access to authenticated users only, and you want to restore public access for specific routes, you can do that in functions.php:
// Allow REST API access for all users
add_filter( 'rest_authentication_errors', function( $result ) {
// Only override if there's a blocking error
if ( is_wp_error( $result ) ) {
return null; // Allow the request through
}
return $result;
} );Use this carefully. Fully opening the REST API to unauthenticated requests means anyone can read your posts, pages, and user list (usernames are exposed via /wp-json/wp/v2/users by default). Consider disabling the users endpoint if you are not using it:
// Disable the users REST endpoint for unauthenticated requests
add_filter( 'rest_endpoints', function( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[d]+)'] );
}
return $endpoints;
} );REST API and WordPress Automation Tools
The WordPress REST API is not just a technical detail — it is the foundation of modern WordPress management. If you are using any tool to manage WordPress sites remotely or programmatically, a working REST API is non-negotiable.
Master Control Press (MCP) uses the WordPress REST API to let AI assistants and automation workflows manage your sites — creating posts, updating content, managing taxonomies, and more. When the REST API is properly configured, you unlock the ability to:
- Publish and update content without logging into wp-admin
- Bulk manage posts across multiple sites from a single interface
- Connect WordPress to external tools like Zapier, Make, or custom scripts
- Build headless WordPress frontends with frameworks like Next.js or Astro
- Automate SEO workflows, content scheduling, and site maintenance
Application Passwords: The Right Way to Authenticate REST API Requests
Since WordPress 5.6, Application Passwords have been the standard way to authenticate REST API requests. Unlike your regular WordPress password, application passwords can be revoked individually without changing your main login credentials.
To create one: go to Users > Your Profile, scroll to the “Application Passwords” section, give it a name (like “MCP” or “Zapier”), and click Add New Application Password. WordPress will show you the password once — save it immediately.
Use it in API requests with HTTP Basic Auth:
curl -u "your_username:xxxx xxxx xxxx xxxx xxxx xxxx"
https://yoursite.com/wp-json/wp/v2/postsApplication passwords work over HTTPS only. If your site does not have SSL, they will not function — which is another good reason to ensure every WordPress site is running on HTTPS.
Quick Diagnostic Checklist
If your REST API is not working, run through this checklist in order:
- Visit
yoursite.com/wp-json/— do you get JSON back? - Check Settings > Permalinks — is it set to anything other than Plain?
- Deactivate all security plugins temporarily — does the API work now?
- Check your
.htaccessfile — does it have the WordPress rewrite rules? - Enable WP_DEBUG and check
debug.logfor REST authentication errors - Contact your host — confirm they are not blocking
/wp-json/at the server level
The WordPress REST API is one of the most powerful and underutilized features in WordPress. Once it is running correctly, you have a clean, standardized interface for building on top of WordPress — whether that is a custom app, an automation workflow, or a full headless site. Get it working, keep it secured with application passwords, and you will have a solid foundation for everything else you want to build.
