If you only see a loading animation, but the actual content in one of our plugins does not load, your WordPress REST API is most likely not reachable.
What is the WordPress REST API?
A REST API is generally a standardized method that many applications on the Internet use to communicate between server and client. WordPress v4.7 introduced the WordPress REST API, which allows modern WordPress plugins to use this standard method for communication instead of the WordPress specific way of communication.
How can I enable the WordPress REST API in my website?
The WordPress REST API is enabled by default in your WordPress website. It is a standard method of communication and there is no additional risk to have it activated compared to other methods how WordPress plugins communicate between client and server. But some WordPress plugins allow you as WordPress admin to disable the REST API. The reason for deactivation is usually the desire for better performance or security concerns. For both aspects, however, disabling the REST API is usually not a suitable means.
We know the following plugins that allow you to disable the REST API. By default, none of these plugins disable the REST API, but they can optionally disable it:
- iThemes Security (formerly Better WP Security)
- All In One WP Security & Firewall
- Sucuri Security
- Titan Anti-spam & Security
- Cerber Security, Anti-spam & Malware Scan
- Shield Security
- WP Hide & Security Enhancer
- BulletProof Security
- Disable REST API
- NinjaFirewall (WP Edition)
- Hide My WP Ghost
- Swift Performance
- WP Oath Server
- Password Protected
- Cloudflare WAF (Web Application Firewall)
- WP REST API Controller
Additionally, you can restrict access to the REST API in your web server configuration (usually Apache2 or NGINX). This can be done intentionally or accidentally by rejecting requests that start with
How do I know if the unreachable REST API is my issue?
You can easily check if an unreachable REST API is the problem when you see only a loading animation in a devowl.io WordPress plugin. Just follow these steps:
- Open a new tab where you access your website.
- Right-click into the web page to open the panel “Inspect” (Google Chrome) or “Inspect Element” (Mozilla Firefox). Here you can go to the “Console” tab.
- Now open the page on which you see the loading animation that does not disappear.
- In the console, you should see an entry marked red as an error, which indicates an error 401, 403, 404 or 500 (depending on your plugin/configuration to disable the REST API).
If you see an error like this, you need to make sure that the WordPress REST API is reachable again.
I do not want to enable the REST API in general, but for your plugin. Is this possible?
This depends on the configuration of the plugin you use to restrict access to the REST API. For example, with Cerber Security, Anti-spam & Malware Scan you can disable the REST API using namespaces. Each plugin that uses the WordPress REST API must register a namespace in which all endpoints are registered. For example, if you access
/wp-json/realmedialibrary/v1 in your WordPress REST API, the namespace is called
We use for the devowl.io WordPress plugins the following namespaces:
- Real Media Library:
- Real Physical Media:
- Real Category Management:
- Real Thumbnail Generator:
- Real Custom Post Order:
- Real Cookie Banner:
real-cookie-banner/v1(must be available for everyone, not only for logged-in users)
Besides WordPress plugins, we also use third-party packages that are consumed by our plugins. For this, you still have to release the following name ranges:
- Real Product Manager (license and update client, all plugins):
- Real Queue (queue management, currently only used in Real Cookie Banner):
I am using a plugin like “JWT Auth”. Is it compatible?
If you need to use a plugin like JWT Auth you also need to whitelist our plugins. In case of JWT Auth, you have to read the section “Whitelisting Endpoints” in its README file and add our plugins to the allowed endpoints. The endpoints can be found in the paragraph above.
I don’t use a plugin, but e.g. NGINX to block the REST API
If you use a server configuration, e.g. the
.htaccess file or a NGINX configuration to block access to
wp-json, you should exclude certain subpaths. You can track these in the Network tab of your develeper tools in the browser and unblock them accordingly.
Some of our plugins also use a mechanism to obfuscate URLs to bypass ad blockers (for example, saving consent in Real Cookie banners). This can for example look like this:
/wp-json/jr5ek52mpe4hqt2dhfu/mrvekpi0/0ed0fef9da/consent. Unlike plugins that block the REST API, a server configuration that blocks the REST API must also unblock the path of the obfuscated URL. The obfuscation can be disabled through the DevOwl/Utils/RestObfuscatePath filter.
Permalinks are broken
If you use Apache2 as web server, the
.htaccess file defines how URLs of your website look like. This file is created automatically and sometimes manipulated by plugins. If something went wrong with the creation, this can also be a reason why the WP REST API can no longer be accessible.
So, you can rewrite the rules in the
- Go to Settings > Permalinks in your WordPress backend.
- Save the unchanged settings. Saving will trigger the rules to be rewritten.
I can read data but not write?
You are using Real Cookie Banner and cannot save your licence or create folders in Real Media Library? A typical error message text is:
Missing parameter(s): terms (or similar field names)
The most commonly identified cause of this behaviour with previous clients was that your server is configured to forward URLs without an ending slash
/ to URLs with an ending slash
/ (or vice versa).
You can track this by checking the respective requests via F12 > Network to see if a
POST request is redirected. A
POST request must not be redirected and therefore leads to errors, as data to be saved (your input) is not redirected.
It is best to check your
.htaccess file to see if you can exclude
/wp-json from URL forwarding.
See also: https://docs.wp-rocket.me/article/131-redirection-to-enforce-trailing-slash-on-urls