If you only see a loading animation, but the actual content in one of our plugins does not load, your WordPress REST API is most likely not reachable.
What is the WordPress REST API?
A REST API is generally a standardized method that many applications on the Internet use to communicate between server and client. WordPress v4.7 introduced the WordPress REST API, which allows modern WordPress plugins to use this standard method for communication instead of the WordPress specific way of communication.
How can I enable the WordPress REST API in my website?
The WordPress REST API is enabled by default in your WordPress website. It is a standard method of communication and there is no additional risk to have it activated compared to other methods how WordPress plugins communicate between client and server. But some WordPress plugins allow you as WordPress admin to disable the REST API. The reason for deactivation is usually the desire for better performance or security concerns. For both aspects, however, disabling the REST API is usually not a suitable means.
We know the following plugins that allow you to disable the REST API. By default, none of these plugins disable the REST API, but they can optionally disable it:
- iThemes Security (formerly Better WP Security)
- All In One WP Security & Firewall
- Sucuri Security
- Titan Anti-spam & Security
- Cerber Security, Anti-spam & Malware Scan
- Shield Security
- WP Hide & Security Enhancer
- BulletProof Security
- Disable REST API
- NinjaFirewall (WP Edition)
- Hide My WP Ghost
- Swift Performance
- WP Oath Server
- Password Protected
Additionally, you can restrict access to the REST API in your web server configuration (usually Apache2 or NGINX). This can be done intentionally or accidentally by rejecting requests that start with
How do I know if the unreachable REST API is my issue?
You can easily check if an unreachable REST API is the problem when you see only a loading animation in a devowl.io WordPress plugin. Just follow these steps:
- Open a new tab where you access your website.
- Right-click into the web page to open the panel “Inspect” (Google Chrome) or “Inspect Element” (Mozilla Firefox). Here you can go to the “Console” tab.
- Now open the page on which you see the loading animation that does not disappear.
- In the console, you should see an entry marked red as an error, which indicates an error 401, 403, 404 or 500 (depending on your plugin/configuration to disable the REST API).
If you see an error like this, you need to make sure that the WordPress REST API is reachable again.
I do not want to enable the REST API in general, but for your plugin. Is this possible?
This depends on the configuration of the plugin you use to restrict access to the REST API. For example, with Cerber Security, Anti-spam & Malware Scan you can disable the REST API using namespaces. Each plugin that uses the WordPress REST API must register a namespace in which all endpoints are registered. For example, if you access
/wp-json/realmedialibrary/v1 in your WordPress REST API, the namespace is called
We use for the devowl.io WordPress plugins the following namespaces:
- Real Media Library:
- Real Physical Media:
- Real Category Management:
- Real Thumbnail Generator:
- Real Custom Post Order:
- Real Cookie Banner:
real-cookie-banner/v1(must be available for everyone, not only for logged-in users)
I am using a plugin like “JWT Auth”. Is it compatible?
If you need to use a plugin like JWT Auth you also need to whitelist our plugins. In case of JWT Auth, you have to read the section “Whitelisting Endpoints” in its README file and add our plugins to the allowed endpoints. The endpoints can be found in the paragraph above.
Permalinks are broken
If you use Apache2 as web server, the
.htaccess file defines how URLs of your website look like. This file is created automatically and sometimes manipulated by plugins. If something went wrong with the creation, this can also be a reason why the WP REST API can no longer be accessible.
So, you can rewrite the rules in the
- Go to Settings > Permalinks in your WordPress backend.
- Save the unchanged settings. Saving will trigger the rules to be rewritten.