WordPress REST API Errors and 401/403 Responses

Warning Frequency: Uncommon
Error message: rest_forbidden — Sorry, you are not allowed to do that.

The WordPress REST API is used by the block editor (Gutenberg), many plugins, and external integrations. When it’s blocked or returning errors, the block editor may not work, plugins may fail, and API-dependent features break.

Common Causes

  1. Security plugin blocking REST API access
  2. Authentication not configured for the endpoint
  3. .htaccess rules blocking /wp-json/ requests
  4. Permalink structure not set (REST API needs pretty permalinks or index.php prefix)
  5. Server blocking HTTP methods (PUT, DELETE, PATCH)

How to Fix It

  1. Check if REST API is accessible: Visit /wp-json/wp/v2/ in your browser
  2. Ensure pretty permalinks are enabled (Settings > Permalinks u2014 anything except 'Plain')
  3. Check security plugins: iThemes, Wordfence, and similar plugins can block REST API. Whitelist needed endpoints
  4. For authentication: Use Application Passwords (built into WordPress 5.6+) or a JWT plugin
  5. Check .htaccess for rules blocking /wp-json/ and ensure the WordPress rewrite rules are intact
Related Errors
WordPress Pages Returning 404 (Permalink Issue)

Frequently Asked Questions

How do I test if the WordPress REST API is working?
Visit /wp-json/wp/v2/posts in your browser. You should see a JSON response with your recent posts. If you get a 404, check your permalink settings. If you get a 403, a security plugin is likely blocking it.
Is it safe to expose the REST API publicly?
The REST API respects WordPress permissions. Unauthenticated users can only access public data (published posts). Sensitive data requires authentication. You can restrict it further with plugins if needed.
Get WordPress Performance Tips

Plugin reviews, speed optimization guides, and error debugging — straight to your inbox.

No spam. Unsubscribe anytime. We respect your privacy.