Introduction

WordPress depends on the REST API for the block editor, site health checks, plugin features, and background communication inside the admin area. When the API fails, the visible symptom may look unrelated, but the root cause is often a rewrite issue, security block, authentication problem, or proxy rule that breaks /wp-json/ requests. The fix is to verify that API requests can reach WordPress and return normal responses under the same hostname and protocol used by the site.

Symptoms

  • The block editor, Site Health, or plugin features report REST API failures
  • Saving content or loading editor data stops working in WordPress admin
  • Requests to /wp-json/ return 403, 404, 500, or redirect unexpectedly
  • The issue began after changing security plugins, caching, permalinks, or proxy settings
  • Direct page loads work while API-driven features fail

Common Causes

  • Rewrite rules or permalink handling no longer route /wp-json/ correctly
  • Security plugins, WAF rules, or host firewalls block API endpoints
  • Authentication cookies or nonces fail because of domain, HTTPS, or proxy mismatches
  • Reverse proxies or CDNs cache, redirect, or strip headers on API traffic
  • Plugin or theme code causes fatal errors only when API endpoints execute

Step-by-Step Fix

  1. Request the affected /wp-json/ endpoint directly and note the real HTTP status, redirect, or error body it returns.
  2. Confirm the site URL, home URL, and HTTPS behavior are consistent so API requests use the same canonical hostname as admin traffic.
  3. Review rewrite rules and permalink handling to make sure REST routes reach WordPress correctly.
  4. Check security plugins, CDN rules, WAF policies, and reverse proxies for anything that blocks or alters /wp-json/ traffic.
  5. Inspect server and application logs for fatal errors or permission problems triggered only by REST API requests.
  6. Verify authentication cookies and nonce behavior if the failure appears only for logged-in editor actions.
  7. Temporarily isolate recently changed plugins or themes if they register API routes or modify request handling.
  8. Re-test editor actions, Site Health, and direct API calls after correcting the failing layer.
  9. Keep API paths excluded from inappropriate caching and overly broad security rules so WordPress admin features stay functional.