Fix wp-json API 403 Forbidden in WordPress (Full Guide)

Table of Contents

Learn how to fix the wp-json API 403 Forbidden error in WordPress using PHP, .htaccess, firewall settings, and plugin configurations. This comprehensive guide is for site owners, developers, SEO specialists, and IT teams looking to troubleshoot REST API issues effectively.

Introduction

The WordPress REST API, accessible via the wp-json endpoint, plays a crucial role in how WordPress communicates with its internal and external components. Whether you’re using the Gutenberg editor, a mobile app, WooCommerce, or SEO tools like RankMath or Yoast, the REST API ensures seamless data exchange.

A 403 Forbidden error on the wp-json endpoint means the server has denied access to the REST API. This is a serious issue that can disrupt plugin operations, break frontend functionalities, and even interfere with SEO data retrieval. In this guide, we’ll explore the root causes of this error and how to fix it using proven methods.

What Is the wp-json API and Why It Matters

What is the wp-json Endpoint in WordPress?

The wp-json endpoint is the base path of the WordPress REST API, typically found at:

https://yourdomain.com/wp-json/Code language: JavaScript (javascript)

It provides structured JSON responses and allows remote apps, plugins, or scripts to interact with WordPress in a secure and scalable way.

Use Cases That Rely on REST API

The Gutenberg block editor loads blocks and autosaves content via REST API.
SEO plugins like RankMath and Yoast access REST routes to manage metadata.
Mobile apps and frontend frameworks (like React or Vue) depend on it.
WooCommerce relies on REST API for managing products, carts, and orders.

If wp-json is blocked, many of these features will fail or degrade.

Symptoms of wp-json API 403 Forbidden Error

HTTP Response Code 403

When visiting yourdomain.com/wp-json/, you may receive:

403 Forbidden

This indicates that your server has received the request but is rejecting it due to permission, firewall, or access control rules.

Error Logs and Plugin Messages

REST API request failed messages in Site Health
SEO plugins reporting missing API response
AJAX requests failing silently or logging permission errors

These are all red flags that wp-json access is blocked.

Common Causes of wp-json 403 Forbidden Error

Security Plugins Blocking REST API

Popular WordPress security plugins like Wordfence, iThemes Security, and All In One WP Security often disable or restrict REST API access by default to reduce exposure to attacks.

If the error disappears after disabling these plugins, you’ll need to reconfigure their settings to whitelist REST API endpoints.

ModSecurity or Web Server Firewall

Apache servers with ModSecurity enabled may trigger false positives on wp-json endpoints due to JSON payloads. Common ModSecurity rules that block REST API include 981173, 981257.

Disabling or tweaking these rules may be necessary.

Cloudflare or Other WAFs

Web Application Firewalls (WAFs) like Cloudflare, Sucuri, or Imunify360 may consider REST API traffic suspicious. Cloudflare may block or challenge requests to /wp-json due to heuristic pattern matches.

Adding a bypass rule for /wp-json/ in Cloudflare’s firewall settings often resolves the issue.

.htaccess Rules or NGINX Config

Incorrect or overly restrictive .htaccess rules can block access to REST endpoints:

<Files wp-json>
  Deny from all
</Files>Code language: HTML, XML (xml)

Similarly, in NGINX, directives like:

location ~ ^/wp-json { deny all; }

…may cause a 403 Forbidden error.

CORS Policy or HTTP Auth Restrictions

Cross-Origin Resource Sharing (CORS) misconfigurations are common when accessing REST API from external frontend frameworks. If the origin isn’t allowed, the browser or server will block the request, often with a 403.

You may also see 403 if the API expects authenticated headers (such as JWT, cookies, or basic auth) and they’re missing.

Permission or Capability Restriction

Sometimes, wp-json requires logged-in users or specific capabilities to return data. Plugins or theme functions can block access using this filter:

add_filter( 'rest_authentication_errors', function() {
    return new WP_Error( 'rest_disabled', 'REST API disabled', ['status' => 403] );
});Code language: PHP (php)

This disables access even when requests are properly formed.

Hosting-Level Blocking

Shared hosting environments or low-cost hosts may restrict access to wp-json for performance or security reasons. These restrictions are often enforced at the server level and can only be resolved via support tickets.

How to Fix wp-json API 403 Forbidden (Step-by-Step)

Step 1: Disable Security Plugins Temporarily

Temporarily disable security-related plugins one at a time and test if wp-json returns normally.

If access is restored, look into plugin settings for options like:

Disable REST API restrictions
Allow anonymous access to specific routes
Whitelist endpoint: /wp-json/

Step 2: Check .htaccess or NGINX Config

Review .htaccess for any lines like:

RewriteRule ^wp-json - [F,L]Code language: CSS (css)

Or:

<FilesMatch "wp-json">
  Deny from all
</FilesMatch>Code language: HTML, XML (xml)

Remove or comment these rules. On NGINX servers, ensure no deny all directive applies to /wp-json/.

Step 3: Whitelist REST API in ModSecurity

If your hosting uses ModSecurity (common in cPanel/WHM environments):

Access ModSecurity > Domains
Disable it temporarily for testing
Or ask your host to whitelist the rule ID causing false positives

You can often find the rule ID in your server’s error logs.

Step 4: Adjust Cloudflare WAF Rules

+) Go to Cloudflare Dashboard > Security > WAF

+) Create a firewall rule:

Field: URI Path
Operator: contains
Value: /wp-json
Action: Allow

Also, consider disabling “Browser Integrity Check” and set “Security Level” to “Essentially Off” during debugging.

Step 5: Fix CORS or Fetch-related Errors

If using frontend JS to call REST API, ensure headers are set properly. In .htaccess:

<IfModule mod_headers.c>
  Header set Access-Control-Allow-Origin "*"
</IfModule>Code language: HTML, XML (xml)

Or for NGINX:

add_header 'Access-Control-Allow-Origin' '*';Code language: JavaScript (javascript)

Test with authenticated requests if needed.

Step 6: Remove Custom Code Blocking REST API

Check your functions.php and custom plugins for this type of filter:

add_filter( 'rest_authentication_errors', function( $result ) {
  return new WP_Error( 'rest_disabled', 'Access Denied', [ 'status' => 403 ] );
});Code language: PHP (php)

Remove or modify it to allow legitimate API calls.

Step 7: Contact Hosting Support

If all else fails, your host may be enforcing a block from their firewall or WAF (like Imunify360). Ask them to:

Review firewall logs
Whitelist /wp-json/ endpoint
Disable restrictive ModSecurity rules for your domain

Testing wp-json API After Fixing

Test in Browser or Curl

Run this command in your terminal:

curl -I https://yourdomain.com/wp-json/Code language: JavaScript (javascript)

Expect a 200 OK response and JSON content.

Test with Authenticated Requests

Use application passwords or tokens to access private endpoints like:

curl --user "admin:app-password" https://yourdomain.com/wp-json/wp/v2/postsCode language: JavaScript (javascript)

Ensure you get a proper list of posts, not a 403.

Best Practices to Avoid wp-json 403 in the Future

Don’t block REST API globally unless you understand the impact
After installing security plugins, re-test /wp-json/ manually
Keep .htaccess backups before editing
Use proper CORS headers if making cross-origin requests
Avoid custom filters that interfere with rest_authentication_errors unless necessary
Document any firewall or WAF changes made for future reference

Conclusion

The wp-json 403 Forbidden error is more than just a minor nuisance — it can break essential functionality for your plugins, themes, mobile apps, and SEO tools. Fortunately, the issue is usually caused by security layers, plugin misconfigurations, or server rules.

By methodically testing and fixing each potential layer — plugin, .htaccess, ModSecurity, Cloudflare, CORS, and PHP filters — you can safely restore access to your REST API and prevent future issues. If you’re unsure, don’t hesitate to involve your hosting provider or technical SEO team.

Leave a Reply Cancel reply

Fix GTM Preview Mode Not Loading on Any CMS

Is GTM Preview Mode not loading on your CMS? Whether you’re using WordPress, Shopify, Webflow, Wix, Magento, or a custom framework like Laravel or React, the failure of Google Tag Manager (GTM) Preview Mode can block critical debugging workflows. This guide will help you identify the root causes and fix the GTM debug mode across […]

How to Fix Structured Data Errors in Google Search Console

Structured data plays a vital role in helping Google understand your website content. When implemented correctly, it enables rich snippets and enhanced search appearances like product ratings, FAQs, and breadcrumb paths. However, Structured Data Errors in Google Search Console (GSC) can prevent your site from qualifying for these features, negatively impacting visibility and click-through rate […]

Fix Robots.txt Blocking Googlebot: Full SEO Guide

When your website’s visibility in Google Search drops or pages fail to get indexed, one critical factor to check is your robots.txt file. Improperly configured robots.txt rules can block Googlebot from crawling essential content. This guide will walk through how to fix robots.txt blocking Googlebot, with specific insights for WordPress, Shopify, Squarespace, and broader SEO […]

Fix WooCommerce Cart Not Updating (Step-by-Step Guide)

The WooCommerce cart not updating issue is a common frustration among website owners, developers, and SEO managers. Whether it’s quantity changes not saving, AJAX not functioning, or the mini cart not refreshing — this problem can hurt user experience, SEO performance, and even conversion rates. In this guide, we’ll walk you through technical and practical […]

Fix 403 Forbidden Error on wp-admin in WordPress

The 403 Forbidden Error on wp-admin is a common WordPress issue where users are denied access to the admin dashboard. It typically appears with a message like: This error prevents access to: A 403 Forbidden error on the WordPress /wp-admin page signals that the server is actively denying access to the admin dashboard. Unlike 404 […]

Fix Broken Image URLs After CDN Setup (Full Guide)

Content Delivery Networks (CDNs) are powerful tools used to enhance website speed and performance by caching and serving content from distributed servers. However, after integrating a CDN, it’s not uncommon for website owners to encounter broken image URLs – a frustrating issue that can hurt SEO, user experience, and brand perception. This guide provides a […]

Enable Gzip Compression to Speed Up Your Website in Minutes

Gzip compression is one of the most effective techniques to optimize website speed, reduce bandwidth usage, and improve overall SEO performance. Despite its simplicity, many websites still serve uncompressed assets, resulting in slow load times and lower Core Web Vitals scores. In this guide, we will explain how to enable Gzip compression across different platforms, […]

Fix GA4 Not Tracking Pageviews (Step-by-Step Guide)

If your GA4 is not tracking pageviews, you’re not alone. Many website owners and SEO professionals encounter this frustrating issue. Pageview data is essential for measuring traffic, user behavior, and marketing effectiveness. When it’s missing, you lose visibility into your website’s performance. This guide explains the most common reasons why Google Analytics 4 (GA4) may […]

Fix WordPress Maintenance Mode Error Quickly and Safely

When WordPress gets stuck in maintenance mode, it can be frustrating — especially if you’re in the middle of an update or managing a high-traffic site. This guide walks you through how to fix WordPress maintenance mode issues, understand why it happens, and prevent it in the future. WordPress automatically enters maintenance mode during core, […]