WordPress How to Fix “Invalid JSON Response” Error (REST API Blocked, Cache, WAF, or Network)

Quick answer: Fix the WordPress “Invalid JSON response” error by making sure the REST API request returns real JSON (not an HTML login/block/error page) and removing whatever is blocking, caching, or rewriting that response (plugins, WAF/CDN rules, redirects, or network filtering).

Use the quick classification below to identify whether this is a browser/session issue, a plugin/theme/cache issue, a server/WAF issue, or a network/TLS inspection issue—then apply the matching fix path.

Quick Fix Checklist

Do these quick checks first so you don’t change settings blindly.

• Note the exact symptom:
  • Fails when clicking Update/Publish in the block editor
  • Fails when saving a page builder layout
  • Fails when uploading media
  • Fails when changing site settings (Customizer/Site Editor)
• Cross-test in 2 minutes:
  • Incognito/private window (no extensions, clean cookies)
  • Another browser (Chrome/Firefox/Safari)
  • Another network (mobile hotspot vs office Wi‑Fi/VPN)
  • Another device (phone vs laptop)

Quick problem classification (pick the closest match):

• A. Works in incognito/private mode → extension conflict, corrupted cookies/local storage, or service worker cache.
• B. Works on one network but not another → proxy/VPN/TLS inspection or network filtering rewriting REST responses.
• C. Works on one device but fails on another → device/browser state, DNS, or local security software.
• D. Started after an update/settings change → plugin/theme conflict, minify/optimization, or cached assets.
• E. Fails everywhere suddenly → host/CDN/WAF outage, rate limiting, or server-side errors.

Before you change anything: open DevTools → Network, reproduce the error, and note the failing request URL + status code (401/403/429/5xx) and whether the response body is JSON or HTML.

Causes (realistic, not generic)

“Invalid JSON response” usually means WordPress expected JSON from the REST API but received something else (often HTML).

• Temporary service outage or degraded backend: REST requests time out or return 5xx from your host, PHP-FPM, database, CDN, or WAF.
• Corrupted local storage, cache, or service worker: stale editor assets, broken service worker, or cached API responses in the browser.
• Browser extension or app overlay conflict: ad blockers, privacy tools, antivirus web shields, password managers, “dark mode” injectors.
• Network filtering, proxy, or TLS inspection: corporate proxies/VPNs rewriting responses, blocking /wp-json/, or injecting HTML warning pages.

On the WordPress/server side, the most common technical triggers are:

• Plugin conflict (security, caching, optimization, “disable REST API”, login/2FA, cookie/headers plugins).
• Cache layers serving cached HTML to REST endpoints (server cache, CDN “cache everything”, misconfigured rules).
• REST API permissions/auth returning 401/403 (nonce/cookie issues, blocked cookies, WAF rules, REST restrictions).
• Rate limiting returning 429 (WAF/CDN/host protection, aggressive bot rules, too many autosaves/requests).
• Redirects/mixed domain (www vs non-www, http vs https) causing REST calls to bounce to HTML pages.

What you observe	Most likely cause	Best first fix
Works in incognito/private mode	Extension conflict or corrupted site data	Disable extensions for wp-admin + clear site data for your domain
Works on hotspot but not office Wi‑Fi/VPN	Proxy/TLS inspection/network filtering	Bypass VPN/proxy; ask IT to allow /wp-json/ and admin-ajax.php without rewriting
Started after plugin/theme update	Plugin/theme conflict or cached/minified assets	Disable caching/security/minify plugins temporarily; purge all caches
Fails everywhere; DevTools shows 403/429/5xx	WAF/CDN rules, rate limiting, or backend errors	Inspect failing REST request + check server/WAF logs; whitelist REST routes

Step-by-Step Fix

Follow these in order. Each step targets a specific symptom so you can stop as soon as it’s fixed.

1) Confirm the REST API is returning JSON (not HTML)

Use this when: you suspect a block page, login page, or cached HTML is being returned instead of JSON.

• Open: https://yourdomain.com/wp-json/
• Expected: JSON output (structured text).
• If you see HTML (login form, “Access denied”, WAF block, maintenance page): something is intercepting the REST API.

Also test a common editor endpoint:

• https://yourdomain.com/wp-json/wp/v2/types/post (may require being logged in)

2) If you cannot sign in or you keep getting logged out: fix session/cookies first

Use this when: you get logged out, see nonce/cookie behavior, or actions fail only when signed in.

• Clear site data for your domain (cookies + local storage), then sign in again.
• Verify WordPress Address (URL) and Site Address (URL) match exactly (http vs https, www vs non‑www).
• If behind a reverse proxy/CDN, confirm HTTPS is forwarded correctly (WordPress must “see” HTTPS in wp-admin).
• Edge case: if your browser blocks third-party cookies and you use an embedded admin/login flow, test with cookie restrictions disabled for your domain.

3) If it works in incognito/private mode: isolate extensions and local state

Use this when: scenario A (incognito works, normal mode fails).

• Disable extensions that modify pages/requests: ad blockers, privacy blockers, antivirus web shields, password managers, “dark mode” injectors.
• Hard refresh wp-admin/editor after disabling extensions.
• Clear only your site’s storage (not your whole browser): cookies, local storage, and cached files for your domain.
• Uncommon but realistic fix (advanced): unregister a broken service worker.
  • Chrome: DevTools → Application → Service Workers → Unregister (for your domain), then reload.
  • This matters if a PWA/plugin registered a service worker that caches REST calls incorrectly.

4) Temporarily disable caching/security plugins and purge all cache layers

Use this when: the error started after an update/settings change, or you run caching/security/optimization plugins.

• Temporarily disable the most likely offenders:
  • Page cache/performance plugins
  • Security/WAF plugins
  • Minify/combine/optimization plugins (JS/CSS)
  • Plugins that restrict the REST API
• Purge caches in this order:
  • Plugin cache
  • Server cache (host panel: Nginx/Varnish/LiteSpeed)
  • CDN cache (Cloudflare/Fastly/etc.)
  • Browser cache for your domain
• Critical: ensure your cache layer does not cache REST endpoints. Routes like /wp-json/ should bypass page cache.

5) Check for plugin conflict using a clean isolation path

Use this when: you can’t tell which plugin is causing the invalid JSON response.

• If you can access wp-admin, disable all non-essential plugins, test saving/updating, then re-enable one by one until the error returns.
• If you can’t access wp-admin, disable plugins via FTP/SSH by renaming the wp-content/plugins folder (then restore and isolate).
• Prioritize testing plugins that affect: caching, security, login/session, REST API, redirects, and optimization.

6) Test with a default theme (theme-level REST/editor breakage)

Use this when: the error started after a theme update or custom code change.

• Switch temporarily to a default theme (e.g., Twenty Twenty-Four) and retest the failing action.
• If it fixes the issue, look for theme code that:
  • forces redirects (especially in admin)
  • prints output unexpectedly (whitespace/HTML) during REST requests
  • adds aggressive security headers or blocks routes

7) Use DevTools to identify the exact failing request (fastest accurate diagnosis)

Use this when: you need to know whether it’s auth (401), blocked (403), rate limited (429), or server error (5xx).

• Open DevTools → Network, reproduce the error, click the failing request (often /wp-json/ or /wp-admin/admin-ajax.php).
• Check Status Code and response preview/body:
  • 401: auth/nonce/cookie issue (often URL mismatch, cookie blocked, or session invalid).
  • 403: WAF/security rule, REST restriction, or permission issue.
  • 429: rate limiting (WAF/CDN/host). Whitelist your IP, reduce bursts, or adjust WAF thresholds.
  • 5xx: backend error; check PHP/server logs for fatals/timeouts.
• Tell-tale sign: if the response body starts with <!doctype html>, WordPress received HTML (block/login/error page), not JSON.

8) Check REST API permissions and server logs for 403, 429, or 5xx patterns

Use this when: the issue affects multiple devices, or you saw HTML “blocked” pages at /wp-json/.

• Check web server logs (Nginx/Apache) and PHP error logs at the timestamp of the failing request.
• Look for:
  • WAF/mod_security blocks (rule IDs)
  • upstream timeouts / gateway errors
  • PHP fatal errors triggered during REST requests
  • 429 rate-limit events from CDN/WAF
• Advanced fix (often missed): if a WAF/CDN is challenging admin requests (CAPTCHA/JS challenge), disable challenges for logged-in users and exclude /wp-json/* and /wp-admin/* from challenge/transform rules.

9) If it works on one network but not another: address proxy/TLS inspection and filtering

Use this when: scenario B (network-specific failures).

• Disable VPN/proxy and retest.
• Ask IT/network admins to allow these paths without rewriting or injecting HTML:
  • /wp-json/ (REST API)
  • /wp-admin/ (admin)
  • /wp-admin/admin-ajax.php (AJAX actions)
• If TLS inspection is enabled, it can inject an HTML warning page into API responses. The fix is policy-side: bypass inspection for your domain or exclude REST endpoints.

10) Fix mixed domain/redirect issues that break REST calls

Use this when: you changed domain, forced HTTPS, or switched www/non‑www.

• Ensure there is one canonical origin (no bouncing between www and non‑www).
• Confirm redirect rules do not redirect /wp-json/ to a login page or different domain.
• If using Cloudflare (or similar), verify you are not using “Cache Everything” or HTML transforms on /wp-json/.

Still Not Working

If the steps above didn’t fix it, stop guessing and collect evidence. This is where real support-style troubleshooting saves time.

Deeper troubleshooting (what to capture)

• Failing request details: full URL, method (GET/POST), status code, and response headers.
• Response body snippet: first 20–30 lines (confirm JSON vs HTML and identify WAF/login/maintenance pages).
• Timestamp + your IP: needed for host/WAF/CDN support to find the exact block or error.

Edge cases that commonly cause “Invalid JSON response”

• CDN/WAF HTML injection: “browser integrity check”, CAPTCHA, or block page returned to REST endpoints.
• Rate limiting during editing: frequent autosaves + page builder requests triggering 429. Temporarily disable aggressive security rules or whitelist your IP.
• Server-side fatal error only on REST: a plugin hooks into REST requests and throws a PHP fatal (shows as 500). Check PHP logs specifically during the failing save.
• Object/page cache misconfiguration: REST responses cached as HTML. Add explicit bypass rules for /wp-json/* and logged-in users.
• DNS split-horizon / wrong origin: one network resolves your domain to a different server (staging/old IP) that returns different content.

Escalation steps (host/CDN/security vendor)

• Send support: failing endpoint, status code, timestamp, your IP, and any WAF rule IDs from logs.
• Ask them to confirm whether requests to /wp-json/* are being blocked, cached, challenged, or rewritten.
• If you use a managed WAF/CDN, request an exclusion for:
  • /wp-json/*
  • /wp-admin/*
  • /wp-admin/admin-ajax.php

Controlled rollback / repair (when it started after a change)

• Rollback one change at a time: last plugin update, theme update, CDN/WAF rule change, or caching setting.
• Rebuild caches safely: after changes, purge server/CDN caches and retest.
• Last resort: reinstall WordPress core files (do not overwrite wp-content) to rule out corrupted core.

If you’re locked out of wp-admin

• Disable plugins via FTP/SSH (rename plugin folders) and retest /wp-json/.
• Temporarily switch to a default theme by renaming the active theme folder.
• If the site is down or returning 5xx, ask your host to check PHP-FPM, memory limits, and error logs for the REST request path.

Fast decision guide (user paths):

• If you cannot sign in: prioritize account/session and cookie fixes first (URL mismatch, cookies, HTTPS forwarding).
• If the page loads but actions fail: prioritize transport, extensions, and blocked requests (DevTools status codes, WAF/CDN rules).
• If the issue is limited to one device: prioritize local cache, app state, extensions, and service worker cleanup.
• If the issue affects multiple devices: check service status, server logs, and network/WAF policy earlier (403/429/5xx patterns).

Frequently Asked Questions