Redirection uses the WordPress REST API to communicate with WordPress.
Sometimes a site has problems using the REST API, and this can be caused by:
- The REST API has been disabled
- You are using a REST API plugin
- Requests to the REST API are being redirected
- Trailing slashes are being trimmed from all URLs
- Security software is blocking requests
- Using different URLs for your site and WordPress URL settings in Settings > General
- Server settings do not pass authorisation
These are all solvable.
You can test your API by accessing /wp-json/
on your site. You may see:
- A lot of data. Your API is working
- An error page. Your API has been disabled or blocked
- A redirect to another page
Disabled REST API
This is a simple one and just involves not disabling the REST API! If you used a plugin to disable the API then you will need to configure that plugin to allow Redirection to use the API.
REST API plugin
You may have an alternative REST API plugin installed, such as WP-API or WP REST plugin. You need to use the default WordPress REST API.
Redirected Requests
This is likely also caused by a plugin, or maybe an aggressive redirect. You will need to configure your plugin to not redirect requests to the API.
Language plugins can often cause these redirects, such as qTranslate.
Removal of trailing slashes
If you have a redirect rule, possible in your .htaccess
file, to remove trailing slashes this can break your REST API. You can fix this by excluding POST
and /wp-json/
requests:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_URI} !^/wp-json/.*
RewriteRule ^(.*)/$ /$1 [R=301,L]
Security Software
The WordPress API uses standard communication techniques, but sometimes security software can aggressively block it and return errors. You will need to configure your security software to not block API requests.
Your REST API may appear to work when you view /wp-json/
in a browser, but fail to work in Redirection. You may see a message that includes:
rest_forbidden
rest_no_route
You will also need to ensure that X-WP-Nonce
headers are passed with your requests. Some security settings (on your server and in a plugin) may remove these headers, resulting in a rest_forbidden
message.
Server Settings
Your server may be configured to only pass authorisation headers on certain URLs. You will need to reconfigure it to pass these on /wp-json/
URLs.
This is more likely to happen if you use a proxy like Varnish where you will need to be more explicit about what information is passed from Varnish to the server.
HTTP codes
The HTTP code returned can indicate the source of the problem:
- 301 – Your REST API is being redirected. The likely cause is that your site is changing protocol between http and https, but your WordPress URL settings don’t match the target. Go to your Settings > General page and update the URLs to match your site
- 401 – The request is unauthorized. This can be caused by security settings.
- 403 – The request is forbidden. This is likely caused by a security plugin or server setting that is actively blocking the request
- 404 – Page not found. Something on your site is return a standard 404 error page. You will need to investigate this further.
- 500 – A server error. This could be caused by a security plugin, or even your server is running out of memory
Known problem software
This software is known to cause problems with the REST API. It is not exclusive, and they often can be configured to allow the REST API:
- WP-Spamshield
- Sucuri
- Cloudflare – see this guide
- mod_security
- WP Cerber – shows a ‘sorry but you are not allowed to proceed’. Can be configured to allow REST API requests
- OVH – do you use OVH and have
http.firewall
enabled? This will break the WordPress REST API. Contact OVH support and ask them to fix it! - 7G Firewall
- Plesk – there is a Plesk guide that may help
Different URL settings
You may see errors like:
- Not allowed to request resource
- Failed to fetch
- NetworkError when attempting to fetch resource
Typically this is because you have different URLs on your Settings > General page. This prevents your browser from accessing your REST API. For example, one URL may be a http and one may be https.
Likewise you may have different (sub)domain names . This usually indicates a problem and making these the same can solve the issue.
HTTP when your site is HTTPS
If you are forcing your site to be https, via whatever method, but your WordPress Settings > General URLs are set to http then you may see an error like this:
- Preflight response is not successful
As above in ‘different URL settings’ you should set your URLs to be https.