GitHub|Since 2007
WPTR
Step 3

WordPress REST API Check

Check if your WordPress REST API is active, learn the key endpoints, and configure security settings.

10 min

What is the REST API?

The REST API allows WordPress to provide its content (posts, pages, categories, media) in JSON format to the outside world. In a headless architecture, Next.js uses this API to fetch content.

Check if the API is Active

Open the following address in your browser (replace with your own site's URL):

https://example.com/wp-json/wp/v2/posts

If you see your posts in JSON format, the API is active! 🎉

Common Endpoints

The WordPress REST API offers many endpoints:

EndpointDescription
/wp-json/wp/v2/postsBlog posts
/wp-json/wp/v2/pagesPages
/wp-json/wp/v2/categoriesCategories
/wp-json/wp/v2/tagsTags
/wp-json/wp/v2/mediaImages and media
/wp-json/wp/v2/usersAuthors
/wp-json/wp/v2/commentsComments

Important Parameters

# Get first 10 posts
/wp-json/wp/v2/posts?per_page=10

# With embedded data (images, authors)
/wp-json/wp/v2/posts?_embed

# Filter posts by category
/wp-json/wp/v2/posts?categories=5

# Find post by slug
/wp-json/wp/v2/posts?slug=hello-world

What to Do if the API is Blocked?

If the API isn't working, check these common reasons:

1. Security Plugin Interference

Plugins like Wordfence, iThemes Security, or All In One WP Security can disable the API.

  • Go to the plugin settings
  • Find the 'REST API' or 'JSON API' setting
  • Enable the API or add your frontend to the whitelist

2. Permalink Structure

Navigate to Settings > Permalinks in WordPress and choose any option other than 'Plain'.

3. .htaccess Issues

On Apache servers, the .htaccess file might be blocking the API.

CORS Settings

Since Next.js will access the API from a different domain, you may need to grant CORS permission. Add this code to your WordPress site:

In your functions.php file:

add_action('rest_api_init', function() {
    remove_filter('rest_pre_serve_request', 'rest_send_cors_headers');
    add_filter('rest_pre_serve_request', function($value) {
        header('Access-Control-Allow-Origin: *');
        header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
        header('Access-Control-Allow-Headers: Content-Type');
        return $value;
    });
});

API Security Best Practices

  • Keep only read (GET) endpoints public
  • Require authentication for write operations (POST, PUT, DELETE)
  • Implement rate limiting to prevent abuse

Comments and Discussion

Previous Step
2. Requirements and Preparation
Next Step
4. Creating a GitHub Account
Back to Guides