sfw/fix
Invalid JSON high

Updating Failed: The Response Is Not a Valid JSON Response

The block editor's REST API call came back as HTML instead of JSON, so Gutenberg can't save, update, or publish.

What you see

Updating failed. The response is not a valid JSON response.
(also: "Publishing failed. The response is not a valid JSON response.")

What’s actually happening

You hit Update or Publish in the block editor and get this banner; the post won't save. Gutenberg talks to /wp-json/ over the REST API and expects JSON back. Instead it got something else — an HTML 404 page, a redirect, a PHP warning, or a WAF block page — and JSON.parse choked. The post content is usually fine; the request to store it never completed cleanly. Tools -> Site Health almost always flags the REST API at the same time.

Common causes

  • Permalinks set to 'Plain', so pretty /wp-json/ routes 404 and return an HTML error page
  • The Site Address / WordPress Address mixing http and https, or www and non-www, causing the REST call to redirect
  • A security plugin or server WAF blocking POST requests to /wp-json/
  • A plugin or theme echoing a PHP notice or whitespace before the JSON, corrupting the response body
  • An SSL or mixed-content problem so the editor's HTTPS request to the API fails

How to fix it

  1. Re-save your permalinksGo to Settings -> Permalinks, switch off 'Plain' to a pretty structure like Post name, and click Save Changes. That re-registers the rewrite rules the REST API rides on and flushes .htaccess. This one step fixes the majority of these — plain permalinks break /wp-json/ routing outright.
  2. Test the REST API directlyOpen https://yourdomain.com/wp-json/ in a browser. Valid JSON (a wall of {"name":...}) means the API works and the issue is elsewhere. An HTML 404, a login page, or a 403 tells you exactly what's intercepting it — routing, a redirect, or a firewall.
  3. Run Site Health and read the REST resultTools -> Site Health spells out 'The REST API encountered an error' and often the HTTP status it got back. A 403 points at a security plugin or WAF; a 301/302 points at an http/https or www mismatch in Settings -> General.
  4. Whitelist /wp-json/ in your security layerIf a security plugin (Wordfence, iThemes) or a host WAF is blocking the endpoint, allow POST to /wp-json/wp/v2/ for logged-in editors. Toggle the plugin off briefly to confirm it's the blocker before adding the rule.
  5. Hunt down stray outputIf /wp-json/ shows JSON but with a PHP warning or blank lines on top, a plugin or functions.php is printing before the response. Enable WP_DEBUG_LOG, find what's emitting it, and stop the early output (usually a closing ?> with trailing whitespace).

Stop it recurring

Keep permalinks on a pretty structure and one canonical http(s)+host, and confirm /wp-json/ returns JSON after any security-plugin or server change.

Related errors

REST API: Sorry, You Are Not Allowed to Do That (rest_forbidden / 401)

high

Something is blocking authenticated /wp-json/ requests, so the editor, Site Health, and integrations get rejected as unauthorized.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.

WordPress White Screen of Death

critical

A blank white page with no error is WordPress’s "white screen of death" — a fatal error with display turned off.

Error Establishing a Database Connection

critical

WordPress can’t reach its database — the whole site goes down with this single line. Here’s how to restore it.