WordPress REST API is disabled — how to re-enable it for Specter
Specter syncs through the WordPress REST API. If the API is off — or being blocked before Specter’s request reaches it — nothing works. The symptoms are recognizable.
Symptoms
- Specter shows “REST API is disabled” or “couldn’t reach the API”
https://yoursite.com/wp-json/returns a 404 in a browserhttps://yoursite.com/wp-json/returns a 403 or a “disabled” message- Auth succeeds in tests but every actual sync request errors out
Quick test
Before anything else, run this in a terminal:
curl https://yoursite.com/wp-json/If the REST API is healthy, you’ll get a JSON response describing the site — namespaces, routes, authentication. If you get anything else (404, 403, HTML, an empty body), the API is being blocked or disabled and one of the causes below is the reason.
Cause 1: a “Disable REST API” plugin
What it is. Plugins literally named “Disable REST API,” “WP Hide & Security Enhancer,” and a handful of similar ones turn off /wp-json/ either entirely or for unauthenticated users. People install them as a hardening step, often years ago, and forget they’re running.
Fix. In wp-admin, go to Plugins and search for “disable,” “REST,” and “hide.” If you find one, either deactivate it, or open its settings and whitelist Specter — most of these plugins let you allow specific routes or authenticated users through. Once Specter has an Application Password, it authenticates on every request, so an “allow authenticated users” toggle is usually all you need.
Cause 2: a security plugin blocking the API
What it is. Wordfence, iThemes Security (now Solid Security), Sucuri, and All-In-One Security all ship with options to block or restrict /wp-json/. These are on by default in some configurations because unauthenticated REST API probes are a common reconnaissance pattern.
Fix. Open the security plugin’s settings and look for:
- Wordfence → Firewall → All Firewall Options → Advanced — check for blocked URLs that match
/wp-json. Also check Blocking for matched rules. - iThemes / Solid Security → Settings → WordPress Tweaks or Advanced — look for “Disable REST API” and set it to “Restrict access” (allow logged-in or authenticated users) rather than “Disable for all.”
- Sucuri → Firewall (WAF) and Hardening — check for REST API restriction rules.
- All-In-One Security → WP REST API Security — disable or allow authenticated access.
The pattern is the same across them: don’t turn protection off, just allow authenticated requests through. Specter always authenticates with an Application Password.
Cause 3: .htaccess rules
What it is. On Apache hosts, someone may have added rules to .htaccess that block /wp-json/ directly. Hand-rolled hardening, or copy-pasted from a “secure your WordPress” guide.
Fix. Open .htaccess at the WordPress root and look for any block that mentions wp-json or RewriteRule.*wp-json. A common offender looks like:
RewriteRule ^wp-json/.* - [F,L]Remove or comment out the rule, then retest with the curl command above. If .htaccess was put there by a security plugin, fix it inside the plugin’s settings instead — the plugin will overwrite manual edits on its next save.
Cause 4: custom code in functions.php (or a must-use plugin)
What it is. Theme functions.php files sometimes contain a snippet that disables the REST API entirely, often added years ago when “disable the REST API” was the prevailing security advice. The snippet usually looks like one of these:
add_filter('rest_authentication_errors', function ($result) {
return new WP_Error('rest_disabled', 'REST API is disabled.', ['status' => 401]);
});add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');Fix. Remove the snippet, or wrap it so authenticated requests pass through. The minimum change is to let any logged-in user (Specter, via Application Password) succeed:
add_filter('rest_authentication_errors', function ($result) {
if (!is_user_logged_in()) {
return new WP_Error('rest_disabled', 'REST API is disabled.', ['status' => 401]);
}
return $result;
});Also check wp-content/mu-plugins/ — must-use plugins load automatically and can contain the same kind of filter without showing up on the regular plugins screen.
After the fix
Re-run the curl command. You should see JSON. Then retry the connection from Specter. If /wp-json/ returns JSON but Specter still can’t sync, the problem has moved upstream — see the connection failed walkthrough for the rest of the checks (URL, username, Application Password formatting, Cloudflare, Basic Auth). If you haven’t connected Specter to this site before, the connect-to-WordPress guide covers the full setup from scratch.
If /wp-json/ still won’t return JSON after walking all four causes, email support@spectersync.com with the curl output and the list of security plugins active on the site.