WordPress REST API FAQ & troubleshooting
Introduction
This is our knowledge base for configuring and troubleshooting your WordPress REST API connection. Please read this before asking our support for help because we will most likely begin by offering you the solutions that have been described here.
How your REST API access works can be affected by your WordPress installation, plugins, web server, hosting provider, security solutions, and much more. There is an "almost an infinite" number of possible configurations. We constantly learn about different configurations and most of our knowledge base has been created thanks to our customers. If you face problems that haven't been described here or offered solutions aren't helpful in your case, please let us know. Also, if you managed to solve your issues, it would be fantastic if you could help us and extend this knowledge.
Configuration
How to generate a WordPress API password and configure the connection?
Please check out this HOWTO image.
Please make sure that:
WordPress is up to date.
You don't have an "Applications Passwords" or similar plugin installed. Application Passwords should be handled by WordPress itself.
You use the generated application password in your configuration, not the password you use to sign in to the WordPress dashboard.
The user you generate the Application Password for has the neccessary privileges (is able to create and edit posts). Suggested roles are: Editor or Admin
In our integration please use the username + Application Password generated for the user. Not the "application password label" you enter when generating the application password.
Make sure your project configuration is correct (correct homepage and domain name) and that the project domain does not redirect to another domain.
If your WordPress is installed in a subdirectory, please use the WordPress is installed in a subdirectory option.
Popular problems
I don't see "Application Passwords" in my WordPress dashboard
Please make sure your WordPress is up to date. Application passwords can be disabled by popular security plugins such as Wordfence, please check their configuration.
Popular error codes
Below you will find information on popular error codes returned from the API. Error messages can be a bit different depending on your language. Please focus on the HTTP status + error code.
HTTP 401: rest_cannot_create: Sorry, you are not allowed to create posts as this user
Make sure the Application Passwords are allowed in your security plugins such as Wordfence.
Make sure the user you generated the Application Password for has neccessary privileges (can create and edit posts).
Make sure your project configuration is correct (correct homepage and domain name) and that the project domain does not redirect to another domain. It might also be important to use the correct protocol, e.g. https://domain.com and not http://domain.com if you have SSL enabled.
HTTP 401: rest_forbidden_context: Sorry, you are not allowed to edit posts in this post type
This message is usually associated with one of the following problems:
Using user password, not application password.
Application passwords are disabled by Wordfence configuration.
User is not an Editor or Admin (role)
The problem is related to the HTTP Authorization header (can be caused by your WP configuration, one of your plugins, and often the .htaccess file).
If you suppose #4 might be the reason, you can try the following:
Warning: be extra careful when modifying your .htaccess file. Please make a copy of it before modifying the .htaccess.
You might try adding something like this to your .htaccess file and check if this helps:
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
This is what a part of your .htaccess file might look like before the modification:
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
and after the modification:
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
HTTP 500
HTTP 500 is a server-side error. It's not a typical status returned by the API meaning there's something wrong with your privileges or API credentials.
Usually means there's something wrong in the code/configuration or something wrong with the database, server, memory, etc. You may want to check the error log of your website for more information on what happened.
The website returned the <HTTP_CODE> HTTP code with a response that is not a valid JSON. One of the causes might be some protection blocking our request (Cloudflare, StackProtect, stckcp, or other solution used by your hosting, or a WordPress security plugin).
The response our integration received is not a standard expected response in JSON format. Could be an HTML response.
In most cases, this means that our REST API request has been blocked by some kind of protection.
This protection can be configured in your WordPress (.htaccess, plugin), but also outside (hosting provider, DNS, etc.). We've seen this scenario with Cloudflare or StackProtect, but there can be many more.
Other possibility is that REST API is disabled either by your configuration or your hosting platform
What you can do:
Try to understand what blocks our requests.
Alter the configuration of your security solution or add an exception/whitelist our IP address.
If the security solution has been installed by your hosting provider, you may need to contact them.
Updated on: 19/12/2024
Thank you!