WordPress REST API

Redirection uses the WordPress REST API to communicate with WordPress.

Sometimes a site has problems using the REST API, and this can be caused by:

  • The REST API has been disabled
  • You are using a REST API plugin
  • Requests to the REST API are being redirected
  • Trailing slashes are being trimmed from all URLs
  • Security software is blocking requests
  • Using different URLs for your site and WordPress URL settings in Settings > General
  • Server settings do not pass authorisation

These are all solvable.

You can test your API by accessing /wp-json/ on your site. You may see:

  • A lot of data. Your API is working
  • An error page. Your API has been disabled or blocked
  • A redirect to another page

Disabled REST API

This is a simple one and just involves not disabling the REST API! If you used a plugin to disable the API then you will need to configure that plugin to allow Redirection to use the API.

REST API plugin

You may have an alternative REST API plugin installed, such as WP-API or WP REST plugin. You need to use the default WordPress REST API.

Redirected Requests

This is likely also caused by a plugin, or maybe an aggressive redirect. You will need to configure your plugin to not redirect requests to the API.

Language plugins can often cause these redirects, such as qTranslate.

Removal of trailing slashes

If you have a redirect rule, possible in your .htaccess file, to remove trailing slashes this can break your REST API. You can fix this by excluding POST and /wp-json/ requests:

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/wp-json/.*
RewriteRule ^(.*)/$ /$1 [R=301,L]

Security Software

The WordPress API uses standard communication techniques, but sometimes security software can aggressively block it and return errors. You will need to configure your security software to not block API requests.

Your REST API may appear to work when you view /wp-json/ in a browser, but fail to work in Redirection. You may see a message that includes:

  • rest_forbidden
  • rest_no_route

Server Settings

Your server may be configured to only pass authorisation headers on certain URLs. You will need to reconfigure it to pass these on /wp-json/ URLs.

This is more likely to happen if you use a proxy like Varnish where you will need to be more explicit about what information is passed from Varnish to the server.

HTTP codes

The HTTP code returned can indicate the source of the problem:

  • 301 – Your REST API is being redirected. The likely cause is that your site is changing protocol between http and https, but your WordPress URL settings don’t match the target. Go to your Settings > General page and update the URLs to match your site
  • 403 – The request is forbidden. This is likely caused by a security plugin or server setting that is actively blocking the request
  • 404 – Page not found. Something on your site is return a standard 404 error page. You will need to investigate this further.
  • 500 – A server error. This could be caused by a security plugin, or even your server is running out of memory

Known problem software

This software is known to cause problems with the REST API. It is not exclusive, and they often can be configured to allow the REST API:

  • WP-Spamshield
  • Sucuri
  • Cloudflare – see this guide
  • mod_security
  • WP Cerber – shows a ‘sorry but you are not allowed to proceed’. Can be configured to allow REST API requests
  • OVH – do you use OVH and have http.firewall enabled? This will break the WordPress REST API. Contact OVH support and ask them to fix it!
  • 7G Firewall
  • Plesk – there is a Plesk guide that may help

Different URL settings

You may see errors like:

  • Not allowed to request resource
  • Failed to fetch
  • NetworkError when attempting to fetch resource

Typically this is because you have different URLs on your Settings > General page. This prevents your browser from accessing your REST API. For example, one URL may be a http and one may be https.

Likewise you may have different (sub)domain names . This usually indicates a problem and making these the same can solve the issue.

HTTP when your site is HTTPS

If you are forcing your site to be https, via whatever method, but your WordPress Settings > General URLs are set to http then you may see an error like this:

  • Preflight response is not successful

As above in ‘different URL settings’ you should set your URLs to be https.