The WordPress REST API error is one of those problems that can break your site in ways that are not immediately obvious. Sometimes you see it as an explicit message — “The REST API encountered an error” — in the dashboard’s Site Health check or in a plugin’s status panel. Other times the WordPress REST API error manifests as the Gutenberg block editor failing to load, a plugin’s features silently not working, a broken admin interface, or a contact form that submits but never actually delivers. The REST API underpins an enormous amount of modern WordPress functionality, and a WordPress REST API error that goes unnoticed can break features across your entire site without displaying any obvious error to visitors or administrators. Understanding which features depend on the REST API and what causes the WordPress REST API error is the starting point for diagnosing it efficiently. For a broader walkthrough, our WordPress Errors Complete Guide is a good next read.
What the WordPress REST API Error Actually Breaks
The WordPress REST API is a programming interface that allows different parts of WordPress — and external applications — to communicate using standardised HTTP requests and JSON responses. When a WordPress REST API error occurs, every feature that relies on this communication channel breaks simultaneously. The most visible consequence is the Gutenberg block editor failing to function: blocks do not save, autosave stops working, block patterns fail to load, and the editor may display “Updating failed” or “Publishing failed” errors even when the connection appears fine. All of these are symptoms of the same underlying WordPress REST API error.
Beyond the block editor, a WordPress REST API error breaks application passwords, the WordPress mobile app connection, WooCommerce REST API-dependent features, headless WordPress front ends that consume the REST API as a data source, plugin communication between WordPress and third-party services, and several admin interface elements that use internal REST API calls for dynamic content loading. The breadth of breakage makes the WordPress REST API error more serious than it first appears — what seems like an editor problem might actually be signalling that an entire class of WordPress functionality is impaired.
The WordPress Site Health tool provides the most direct confirmation of a WordPress REST API error: go to Tools → Site Health → Status, and look under the Tests section for the REST API test. A failing result here confirms the WordPress REST API error is real rather than a one-time glitch. The test output often includes additional context — the specific HTTP response code returned by the REST API endpoint, a timestamp, and sometimes a description of the failure mode — that narrows down which of the causes below is responsible.
The Most Common Causes of the WordPress REST API Error
In the cases I have diagnosed, the WordPress REST API error has a consistent set of underlying causes. Before working through the fixes, knowing the full range helps you match the fix to your specific situation faster:
- Permalink structure not regenerated: The REST API depends on clean URLs. If permalink settings are not saved after certain changes, the WordPress REST API error appears because the REST API endpoints cannot be found
- Plugin or theme conflict: A plugin that hooks into request handling or modifies REST API responses can interrupt the REST API’s normal function and produce the WordPress REST API error
- Security plugin or firewall blocking REST API routes: Many security tools allow blocking the REST API for unauthenticated users, which breaks admin functionality when applied too aggressively
- WordPress site URL mismatch: If the Site URL and actual serving URL do not match, REST API requests route to the wrong location and the WordPress REST API error results
- User authentication problem: The REST API requires a valid authentication context for many operations. Cookie nonce failures produce the WordPress REST API error on logged-in operations
- Server-level blocking: Some hosting providers and WAF configurations actively block requests to REST API endpoints, producing the WordPress REST API error for all REST-dependent functionality
Fix the WordPress REST API Error With Permalink and URL Settings
The fastest first fix to try for any WordPress REST API error is regenerating the permalink structure. WordPress REST API routes are registered through the rewrite system, and if the rewrite rules are stale or corrupted, the REST API endpoints return 404 errors instead of valid responses — which is precisely the WordPress REST API error condition that Site Health reports. This fix takes 30 seconds and resolves a significant proportion of REST API errors without any further troubleshooting.
- Log in to the WordPress admin panel (if accessible — if the admin is also broken, try the URL fix in wp-config.php first)
- Navigate to Settings → Permalinks
- Without changing any setting, click Save Changes — this regenerates the
.htaccessrewrite rules and re-registers all REST API routes - Open a new browser tab and visit
https://yoursite.com/wp-json/— if the REST API is working, this URL returns a JSON response listing available API endpoints. A 404 or a WordPress REST API error response indicates the routing problem persists - If the JSON response loads correctly, test the block editor or whichever feature the WordPress REST API error was breaking. The problem is resolved if the feature functions normally
If the Site URL settings are misconfigured — particularly on sites that recently moved from HTTP to HTTPS, changed domains, or migrated between servers — the WordPress REST API error may persist because REST API requests are routing to an incorrect base URL. Add define( 'WP_HOME', 'https://correctdomain.com' ); and define( 'WP_SITEURL', 'https://correctdomain.com' ); to wp-config.php to force the correct URLs, then regenerate permalinks again. A URL mismatch is particularly common after cloning a staging site to production — the staging URL is often baked into database settings that override what wp-config.php specifies.
Fix the WordPress REST API Error Caused by Plugin and Theme Conflicts
Plugins that add custom authentication requirements, modify response headers, or hook into the REST API dispatch process can produce the WordPress REST API error for specific routes or all routes. This is a less common cause than URL or permalink issues, but it is reliably identifiable through the standard systematic deactivation approach. The WordPress REST API error caused by a plugin is typically consistent — the same request to the same REST API endpoint fails every time — rather than intermittent, which helps distinguish it from server-side causes that may be traffic-dependent.
To test whether a plugin is responsible for the WordPress REST API error: deactivate all plugins through the Plugins menu, then test the REST API by visiting yoursite.com/wp-json/ in the browser. If the JSON response loads correctly after deactivation, a plugin is the cause. Reactivate plugins one at a time and test the REST API endpoint after each reactivation. The plugin whose activation causes the WordPress REST API error to return is responsible. Check whether that plugin has a setting that controls REST API behaviour, whether it has pending updates that might include a fix, or whether an alternative plugin provides the same function without the REST API conflict.
Themes can also cause the WordPress REST API error, though this is less common than plugin causes. Themes that modify WordPress request handling through functions.php additions — particularly those using add_filter( 'rest_authentication_errors' ) or similar hooks — can inadvertently block REST API access. Temporarily switching to a default WordPress theme and testing the REST API confirms whether the theme is involved. If switching themes clears the WordPress REST API error, a function in the active theme’s functions.php or a child theme hook is the culprit.
Security Plugin REST API Blocks and Authentication Issues
Security plugins are one of the most frequent and most specific causes of the WordPress REST API error in production environments. Many security plugins include a setting to “disable the REST API” or “restrict REST API access to logged-in users” — which sounds like a reasonable security measure but breaks the REST-dependent admin functions that require the API to work even for authenticated requests. When these settings are applied without understanding their consequences, the result is a WordPress REST API error that breaks the block editor for the site’s own administrators.
| Plugin Setting | What It Does | Impact on REST API |
|---|---|---|
| Disable REST API for non-logged-in users | Returns 401 for unauthenticated requests | Safe — only affects external unauthenticated access |
| Disable REST API completely | Returns 403 or 404 for all REST routes | Breaks block editor, WooCommerce, many plugins |
| Require application password for all REST | Blocks cookie-based authentication | Breaks admin REST calls that use cookie nonce auth |
| Block specific REST routes | Targeted route blocking | Breaks functionality that uses the blocked routes specifically |
Check every active security plugin’s settings for REST API controls and ensure only unauthenticated external REST access is restricted — not REST access for logged-in WordPress administrators. Nonce-based authentication (used by the block editor) needs to pass without restriction. If disabling REST API entirely is a deliberate security decision for a site that uses Classic Editor and no REST-dependent plugins, the block editor and all REST-dependent plugins need to be removed to make this configuration consistent rather than leaving the WordPress REST API error as a permanent condition.
Server-Level Blocks Causing the WordPress REST API Error
Some hosting providers and server-level firewalls actively block requests to /wp-json/ URLs, treating them as a potential attack surface. A Cloudflare WAF rule, a ModSecurity rule set, or a hosting provider’s built-in security scanning can each produce the WordPress REST API error by returning 403 or 503 responses to REST API requests before they reach WordPress. This type of WordPress REST API error is identifiable because it affects REST API requests from all sources — not just the WordPress admin, but also external API clients, the WP CLI REST API commands, and direct URL access to /wp-json/.
Testing the REST API from the command line using curl — curl -I https://yoursite.com/wp-json/ — shows the HTTP headers returned by the server. A 403 response with a WAF-specific header (Cloudflare’s CF-Ray, ModSecurity’s error reference) confirms server-level blocking. Contact your hosting provider and ask them to create an exception for /wp-json/ requests from your own IP and from authenticated WordPress admin sessions, or review and adjust your Cloudflare firewall rules to allow REST API traffic through the relevant WAF rule set.
Our guide on fixing the WordPress JSON response error covers the closely related error that appears specifically in the block editor and shares several root causes with the WordPress REST API error — the two are frequently confused and sometimes appear together. Our guide on how to secure a WordPress website covers security plugin configuration that protects the site without disabling the REST API functionality that WordPress core and essential plugins depend on. The WordPress REST API developer documentation covers every endpoint, authentication method, and route registration detail relevant to diagnosing the specific route or authentication mode involved in your WordPress REST API error. Related: WordPress Trackback.






