Why the REST API matters #
The WordPress REST API is the communication layer between the browser and the server for many core WordPress functions. The Gutenberg Block Editor relies on it. WooCommerce uses it. Contact Form 7, Elementor, and dozens of other common plugins depend on it for dynamic behavior. When the REST API is blocked or broken, features that depend on it fail in ways that often don’t show obvious error messages.
Loupely’s own connection between the Chrome extension and the WordPress Plugin uses an authenticated REST API Endpoint. If the REST API is blocked on your site, Loupely won’t be able to retrieve server-side diagnostic data, and the diagnosis will return browser-only results. This is often how a REST API problem first becomes visible in Loupely’s output.
How to test whether the REST API is responding #
Navigate to https://yoursite.com/wp-json/ in a browser tab. If it loads and returns a JSON response (a page of structured text starting with a curly brace), the REST API is working. If it returns a 403 error, a blank page, or your site’s 404 page, the REST API is blocked or broken.
The most common causes #
Security plugin blocking REST API requests #
Security plugins like Wordfence, WP Cerber, iThemes Security, and others include settings to restrict or disable the REST API. Some apply these settings by default. If your REST API stopped working after installing or updating a security plugin, check that plugin’s settings for REST API or hardening sections. Most offer a “restrict to logged-in users” option rather than a full block, which is safer and less likely to break functionality.
Cloudflare or CDN firewall rule #
If your site is behind Cloudflare or another CDN, a firewall rule may be treating REST API requests as automated traffic and blocking them. Check your CDN’s firewall rules for any rules applying to /wp-json/ paths. Adding an exception for the wp-json endpoint typically resolves this without reducing security meaningfully.
Hosting server firewall #
Some shared hosting environments include server-level ModSecurity rules that block REST API calls as a false positive. Contact your hosting provider’s support with the specific endpoint that’s returning a 403, and ask whether a server-level firewall rule is blocking it.
REST API fully disabled by a plugin #
Some plugins exist specifically to disable the REST API entirely, marketed as a security measure. Completely disabling the REST API breaks the Block Editor, Site Health, and many plugins. If you find a “Disable REST API” plugin active on your site, deactivating it is almost certainly the right move. Restricting REST API access to authenticated users is a safer alternative.
After restoring the REST API #
Once /wp-json/ loads normally again, re-run a Loupely diagnosis to confirm the server-side layer is working. The extension should show “Connected” status rather than browser-only mode.