Error rescue

WordPress REST API Disabled or Blocked: Fix (2026)

By Ali Yasin Jatoi 4 min readUpdated July 2, 2026
Reviewed by Ali Yasin Jatoi, Founder & Lead Engineer· Updated July 2, 2026

Quick answer

The REST API gets disabled by security plugins (iThemes, WordFence, Solid Security) or blocked at the .htaccess/nginx layer. When it's down, the block editor breaks, Site Health reports errors, and headless frontends stop loading. Test with `curl https://yoursite.com/wp-json/` — if you get anything other than a JSON response, the API is blocked.

Diagnose the block

curl -I https://yoursite.com/wp-json/ from your terminal. 200 with JSON = healthy. 403/401 = security plugin blocking. 404 = permalinks broken (see permalink 404 fix). 500 = a plugin's REST handler is erroring.

Fix #1 — Check security plugins

iThemes/Solid Security: Settings → Advanced → REST API — set to 'Default Access' (not 'Restricted'). WordFence: Firewall → Blocking → verify /wp-json/ isn't in the URL block list. Restricting REST API breaks the block editor for logged-in editors too, so most sites should leave it open.

Prefer we just fix it?

This exact error is what our flat-fee website repair service resolves — most fixes ship in under 60 minutes, no retainer, no lock-in. Learn more about flat-fee website repair or grab a slot below.

Fix #2 — Whitelist in .htaccess / nginx

Some hosts add mod_security rules that block REST API traffic. Ask support to whitelist /wp-json/ for authenticated requests. On nginx, verify there's no `location ~ /wp-json` block returning 403.

Fix #3 — CORS for headless setups

If a headless React/Next.js frontend can't reach the API, it's usually CORS. Add to functions.php: `add_filter('rest_pre_serve_request', function($v) { header('Access-Control-Allow-Origin: https://your-frontend.com'); return $v; });`

When to call for help

REST API failures cascade — block editor breaks, Yoast SEO fails to save, headless sites go dark. Our fixed-fee REST rescue is $99 and includes security plugin audit + host firewall coordination.

Common questions

Why is my WordPress REST API disabled?+

The three main causes: (1) a security plugin (iThemes, WordFence, Solid Security) has REST restrictions turned on, (2) host-level mod_security or firewall rules block /wp-json/, (3) permalinks are broken so /wp-json/ 404s. Test with curl to isolate.

How do I enable the WordPress REST API?+

It's enabled by default on every WordPress install since 4.7. If it's not responding, something is blocking it — start with security plugin settings, then permalinks (Settings → Permalinks → Save Changes), then host firewall.

Should I disable the REST API for security?+

No — WordPress core and the block editor rely on it. Disabling it breaks Gutenberg, Site Health, Yoast auto-save, and many plugins. If you have security concerns, restrict specific endpoints (like /users) via filters instead of blanket blocking.

How do I fix REST API 401 unauthorized?+

401 means authentication failed. If it happens in the block editor, log out and back in. If it happens for a headless setup, verify your application password or JWT is correct and included in the Authorization header.

Want help with this?

The pages below go deeper, by service and by city.

Want this handled for you?

Book a call and we will review your site before recommending anything.

Call Book a call