sfw/fix
REST API high

WordPress "Updating failed." / "Publishing failed." (Block Editor)

The block editor can't get a valid JSON reply from the REST API, so saves and publishes fail.

What you see

Updating failed. The response is not a valid JSON response.
Publishing failed. The response is not a valid JSON response.

What’s actually happening

You hit Update or Publish in the block editor and a red bar drops down saying the save failed. The post often did save — reload and the content is there — but the editor never got a clean answer back. Both messages mean the same thing: the editor POSTed to /wp-json/wp/v2/posts and what came back wasn't parseable JSON. The classic editor doesn't depend on this path, which is why the page works there but not in Gutenberg.

Common causes

  • A security plugin or WAF (Wordfence, Sucuri, server mod_security) is blocking or 403-ing requests to /wp-json/.
  • Broken or non-standard permalinks, so /wp-json/ doesn't route — common right after a migration or a switch to plain permalinks.
  • PHP output corrupting the response — a notice, warning, or stray echo prepended before the JSON makes it un-parseable (the REST sibling of the cookies/headers bug).
  • The site URL or REST URL is wrong (http vs https, www mismatch, or a CDN/proxy rewriting the host), so the editor's fetch hits the wrong origin and gets a redirect or HTML.
  • A must-use plugin or output-buffering tweak injecting HTML (a debug bar, a 'powered by' comment) into REST responses.

How to fix it

  1. Read Site Health firstTools > Site Health > Status surfaces 'The REST API encountered an error' with the actual HTTP status and response body. That one panel usually names the cause — a 403 points at a security plugin/WAF; a 404 points at permalinks; raw HTML in the body points at PHP output.
  2. Hit the endpoint directlyFrom a terminal: curl -i https://example.com/wp-json/wp/v2/types — a 200 with JSON means REST is healthy and the editor config is wrong; a 403 is a firewall; a 404 is permalinks; HTML/PHP warnings on top of the JSON is stray output. This isolates the layer in one command.
  3. Flush permalinksSettings > Permalinks > Save Changes (no edits needed) rewrites the rules and re-registers REST routes. Fixes the 404 case, especially post-migration. If you're on plain permalinks, switch to 'Post name' first.
  4. Disable the security layer to confirmTemporarily deactivate Wordfence/Sucuri or ask the host to pause mod_security, then retry the save. If it works, re-enable and add an allow rule for /wp-json/ rather than leaving protection off.
  5. Kill stray PHP outputIf curl shows a notice or HTML above the JSON, enable WP_DEBUG_LOG, find the file:line in debug.log, and fix it — same root cause as the cookies-blocked error. Also confirm display_errors = Off in production so notices never reach the response body.

Stop it recurring

After any migration, re-save permalinks and run Site Health, and keep display_errors off so REST responses stay clean JSON.

Related errors

WordPress "Error: Cookies are blocked due to unexpected output"

high

Stray output before the login headers stops WordPress from setting the auth cookie, so login fails.

WordPress "The link you followed has expired"

medium

WordPress rejects a form POST because it exceeded PHP's upload size limits or the security nonce timed out.

WordPress "Sorry, you are not allowed to access this page"

high

WordPress denies wp-admin because your user's role/capabilities are missing or the table prefix doesn't match the database.

WordPress White Screen of Death

critical

A blank white page with no error is WordPress’s "white screen of death" — a fatal error with display turned off.