How My Hosting Company’s Firewall Blocked the WordPress REST API and the Header Whitelist That Repaired It

by

Last weekend, I found myself stuck in a strange situation. My WordPress site wasn’t working the way it should. I couldn’t update posts using the block editor, and some themes and plugins behaved like they were haunted. What was going on?!

TL;DR (Too Long; Didn’t Read)

My site broke because the REST API was being blocked by my hosting company’s firewall. This API is crucial for modern WordPress features like the block editor and plugin communication. After lots of head scratching, I fixed it by adding the right headers to a whitelist. It was a small tweak that made all the difference.

What Even Is the WordPress REST API?

The REST API is like WordPress’s messenger. It lets your WordPress site talk to other software. This could be the block editor, mobile apps, or even third-party tools.

Think of it like a waiter in a restaurant. You ask for a menu item (a post or comment), and the API goes to the kitchen (the server) and brings it back. Simple as that.

The Problem: A Case of Vanishing Menus

One morning, I logged into my WordPress site expecting to write a sparkling new blog post. But the block editor wasn’t loading. I couldn’t click anything. The sidebar was empty. Menus? Gone. Plugins? Misbehaving.

I opened my developer tools (F12 if you’re curious). In the console—and I kid you not—I saw a flood of red errors. One caught my eye:

Failed to load resource: the server responded with a status of 403 (Forbidden)

It was connected to the REST API URL. Something was blocking communication. Something powerful. Something… protective.

The Firewall Villain

That’s when I realized the culprit: my hosting company’s firewall.

Most hosting providers run a firewall to protect your website. This is normally a good thing. It keeps out the bad guys. But sometimes, it gets a little too enthusiastic.

It thought the REST API was a threat and locked it out like an overprotective parent with a curfew. So every time WordPress tried to reach itself using this API, the firewall stepped in and said, “Nope. Forbidden. Access denied.”

How I Figured It Out

I contacted support. Their answer? “Yeah, our Web Application Firewall (WAF) may block some requests based on headers or user-agent.”

Ah! So it wasn’t the URL that was the problem. It was some headers. You know, the little bits of information that come with a web request (like who it’s from, what kind of browser, and other nerdy things).

I ran a test using a tool called Postman. This lets you send API requests without using your browser. I mimicked a WordPress API call, and boom — 403 Forbidden.

One by one, I removed headers. Finally, I found the golden ticket! When I removed the Origin and Referer headers, the request went through. That confirmed it. The firewall thought those headers were shady.

The Solution: Whitelist Those Headers!

I went back to support and asked, “Can I whitelist these headers so the REST API is allowed through?” They said yes. 🎉

Every hosting provider is a little different, but here’s how it worked for me:

  1. I logged into my hosting control panel.
  2. Went to the Firewall settings or Security settings.
  3. Found the Header Whitelist section.
  4. Added Origin and Referer to the list.
  5. Saved and waited a few minutes.

Then I refreshed my site. And just like magic—it worked. The block editor slid into view like a Broadway star making her entrance. Plugins smiled again. WordPress was happy.

Why This Matters

If your REST API is blocked, several core WordPress features stop working. Here’s what you might run into:

  • The block editor won’t load.
  • Previewing posts might fail.
  • Some plugins lose their magic.
  • Mobile apps and external tools can’t reach your site.

So yeah—it’s important. That little messenger known as the REST API keeps your site rolling forward without bumps.

Don’t Panic, Just Troubleshoot

Here’s a short checklist in case it happens to you:

  • Check your browser’s console (press F12) for REST errors.
  • Use Postman or similar tools to test the REST API manually.
  • Reach out to your hosting support and mention possible firewall blocks.
  • Ask for a header whitelist, especially Origin and Referer.

And most of all—don’t feel bad. This happens to a lot of people. Even experienced WordPress users get tripped up by things like this.

Other Gotchas to Watch For

Sometimes, it’s not the firewall. A few other things can block the REST API:

  • Caching plugins trying to get too clever.
  • Security plugins restricting access to /wp-json.
  • An .htaccess rule gone rogue.

If you’re stuck and the firewall isn’t the cause, disable plugins and test again. Bit by bit, you’ll find the troublemaker.

Wrapping It Up

The modern WordPress experience relies on the REST API to make things quick, dynamic, and powerful. When it breaks, it’s like trying to drive a car without a steering wheel.

But don’t fear. The solution might be as simple as whitelisting a couple of headers in your hosting firewall.

Talk to support. Test with tools. Wear your detective hat. And always remember: web development is just a series of small problems disguised as big ones.

In Summary

  • The REST API is essential to WordPress features like the block editor.
  • Some hosting firewalls block REST API requests based on headers.
  • Whitelisting Origin and Referer headers can fix the issue.
  • Don’t give up! You’ve got this.

Stay safe out there, REST warriors, and may your headers always be approved.