Fixes

WordPress REST API disabled: how to tell, why it happens, and how to fix it

By Ali Yasin Jatoi 6 min readUpdated July 10, 2026
Reviewed by Ali Yasin Jatoi, Founder & Lead Engineer· Updated July 10, 2026

Quick answer

The WordPress REST API is disabled when a request to /wp-json/ returns a 401, 403, or 404 rather than a JSON response. The three usual causes are a security plugin blocking anonymous access, a permalink structure change that broke the /wp-json/ rewrite, and a caching or firewall rule stripping the request. Fix it by testing the endpoint directly with curl, resaving permalinks, and whitelisting /wp-json/ in the tool that blocked it.

How to test whether the REST API is working

Open https://yoursite.com/wp-json/ in a browser. A healthy site returns a JSON blob describing the API. Any HTML error page, 401, 403, or 404 means it is blocked.

In the WordPress admin, go to Tools > Site Health. A red 'REST API encountered an unexpected result' notice names the exact status code returned.

For a headless or plugin issue, curl the endpoint from the server itself: curl -I https://yoursite.com/wp-json/. Compare to a curl from your laptop. Different results point at a CDN or WAF.

The three common causes

  • Security plugins. Wordfence, iThemes Security, and 'Disable REST API' explicitly block anonymous /wp-json/ requests to reduce enumeration. This breaks Gutenberg and most modern plugins.
  • Permalinks. If the site is set to Plain permalinks, or if a recent htaccess edit dropped the WordPress rewrite block, /wp-json/ returns 404.
  • CDN and firewall rules. Cloudflare page rules, security plugins at the WAF layer, and some host firewalls block POST requests to /wp-json/wp/v2/, which breaks saves in the block editor.

The right way to fix it

  • Set permalinks to Post name (or any structure other than Plain) and click Save. That rewrites the htaccess block. This alone fixes a surprising share of REST API problems.
  • In your security plugin, find the REST API rule and allow anonymous read access to /wp-json/ while still blocking user enumeration on /wp-json/wp/v2/users. Both goals coexist.
  • In Cloudflare, add a page rule to bypass cache for /wp-json/* and to skip any WAF rule that blocks POST or PUT to that path.

When you actually want the REST API restricted

Restricting is fine for headless setups where the API is only consumed by an authenticated backend. Keep authentication on and block anonymous entirely.

For a standard content site, you need the REST API open enough for the block editor and plugins. Blocking it wholesale creates more work than it prevents.

The narrower fix is to block /wp-json/wp/v2/users and rate limit login endpoints, not to switch the whole API off.

Common questions

Is disabling the WordPress REST API safe?+

Only if nothing on your site uses it, which is rare. Gutenberg, Site Health, most SEO plugins, and headless setups all rely on it. Disabling it breaks the modern editor and most plugin dashboards.

Why does the block editor say 'Updating failed'?+

That message almost always means a POST to /wp-json/wp/v2/posts/ was blocked or returned an error. Check the browser network tab for the failing request and its status code, then whitelist the endpoint in whichever tool blocked it.

How do I stop user enumeration without disabling the API?+

Block /wp-json/wp/v2/users at the firewall or with a small mu-plugin that returns 401 for unauthenticated users. The rest of the API keeps working.

Want this handled for you?

Book a call and we will review your site before recommending anything.

Call Book a call