Updating Failed: The Response Is Not a Valid JSON Response (Fix It Fast)

You’re in the middle of editing a page, you hit Update (or Publish)… and WordPress throws this red error:

Updating failed. The response is not a valid JSON response.

Sometimes you can still see your changes on the front end. Other times nothing saves at all. Either way, it’s one of the most frustrating “my site is broken” moments because it stops content work in its tracks.

This guide walks you through what the error actually means, why it happens, and a step-by-step troubleshooting checklist you can use to fix it—whether you’re a site owner, a marketer, or the person who “ended up in charge of WordPress.”

If you’re already on a deadline and just want it fixed quickly and safely, you can jump to the “Fix it fast” section.

What the error means (in plain English)

Modern WordPress editing (the Block Editor / Gutenberg) saves content using the WordPress REST API—a set of endpoints on your site that exchange data using JSON (a structured data format). When you click Update, your browser sends a request to your site (usually to a /wp-json/... endpoint). WordPress expects a valid JSON reply confirming the save.

This error appears when WordPress expects JSON but receives something else—commonly:

An HTML error page (403, 404, 500, 503)
A redirect loop (HTTP → HTTPS → HTTP)
A security block (WAF, firewall, security plugin, hosting rules)
Broken permalink rewrite rules
Plugin/theme output that corrupts the API response (warnings, notices, extra whitespace)

In other words: the editor asked your server a question and got back a “weird” answer. (WordPress.org)

Common symptoms you’ll see along with it

Saving a post fails, even for admins
“Publishing failed” appears when creating a new page/post
The editor spins… then errors
Media Library, patterns, or blocks behave strangely
Tools → Site Health shows REST API or loopback request problems
You can visit your site, but the editor can’t reliably talk to your server

If your site is also throwing 500 errors or admin lockouts, these WP Fix It guides may be useful alongside this one:

A quick 60-second diagnosis (do this first)

Before changing anything, do these quick checks to identify what WordPress is receiving instead of JSON.

1) Test the REST API endpoint in a browser

Open this in a new tab (replace with your domain):

https://YOURDOMAIN.com/wp-json/

What you want: a JSON-style output (it may look like structured text, not a pretty webpage).
If you see: a 403/404 page, a login page, a “blocked” message, or an HTML error—that’s your culprit.

2) Check Site Health

Go to Tools → Site Health → Status and look for:

REST API errors
Loopback request errors
cURL/timeout errors

Loopback issues are a known recurring WordPress problem because WordPress often needs to “call itself” for certain operations. (WordPress Developer Resources)

3) Inspect the failed request (best clue)

In your browser:

Right-click → Inspect
Go to Network
Click Update again
Click the request that fails (often wp-json related)
Look at Response

If the response begins with HTML like <!doctype html> or a message like “Forbidden,” you’ve confirmed the problem: something is interrupting the REST API response.

The step-by-step fix checklist (start at the top)

Step 1 — Clear caches everywhere (yes, everywhere)

This problem is often caused (or made worse) by caching layers returning unexpected responses.

Clear:

Any caching plugin cache (page cache/object cache)
Server cache (if your host provides it)
CDN cache (like Cloudflare)
Browser cache (or test in an incognito window)

Then retry updating.

Step 2 — Re-save permalinks (flush rewrite rules)

Broken rewrite rules are a classic reason /wp-json/ endpoints return 404 or unexpected output.

Go to:

Settings → Permalinks
Click Save Changes (even if you don’t change anything)

This triggers a rewrite rules refresh. If you use WP-CLI, wp rewrite flush can do the same. (WordPress Developer Resources)

If this fixed it: you likely had a rewrite/permalink rule mismatch, sometimes triggered by a plugin update, migration, or server config change.

Step 3 — Check for a security/WAF block (403s are extremely common)

If your /wp-json/ test shows 403 Forbidden, odds are high something is blocking REST API requests.

Common blockers:

Security plugins (Wordfence, iThemes/Solid, Sucuri, etc.)
Hosting firewall rules / mod_security
CDN/WAF rules
“Bot fight mode” or aggressive firewall settings

If you use Cloudflare, check:

Security → Events to see if requests are being blocked (you’ll often see hits against wp-json endpoints). (Cloudflare Community)

Also check for rules that block requests with:

Empty user-agents
HTTP/1.0 or nonstandard requests
“suspected bots” behavior (sometimes triggered by WordPress loopbacks)

Fix approach:

Temporarily disable the firewall rule(s) or security plugin feature
Whitelist REST API endpoints (/wp-json/)
Re-test saving in the editor

Step 4 — Rule out plugin conflict (fast and safe method)

A plugin can break JSON responses in a few ways:

It blocks REST requests outright
It injects output (warnings/notices/whitespace)
It triggers a PHP error that returns HTML

Quick test:

Disable caching + security plugins first (temporarily)
Try saving again
If still broken, disable all plugins (or use a conflict testing workflow)

WP Fix It has a dedicated workflow tool/guide for this:

Diagnose WordPress Plugin & Theme Conflicts Fast

If disabling plugins fixes it, re-enable them one-by-one until the error returns. The last plugin activated is your likely cause.

Step 5 — Switch to a default theme (yes, even if you “didn’t change anything”)

Themes can also break REST output (especially if they include:

aggressive redirects
custom REST restrictions
output buffering issues
broken functions.php code)

Temporarily switch to a default theme like Twenty Twenty-One / Twenty Twenty-Four, then test updating again.

If it works, the issue is theme-side.

Step 6 — Fix mixed HTTP/HTTPS and redirect loops

If your site is partially HTTP and partially HTTPS, the editor can fail in weird ways:

WordPress Address is http:// but Site Address is https:// (or vice versa)
You’re forcing HTTPS in multiple places (plugin + server + CDN)
The REST request gets redirected and returns HTML instead of JSON

What to check:

Settings → General
- WordPress Address (URL)
- Site Address (URL)
Confirm the site loads consistently over HTTPS
Confirm https://YOURDOMAIN.com/wp-json/ is accessible without redirects

If you suspect a redirect loop, open DevTools Network and watch for 301/302 chains on wp-json requests.

Step 7 — Look for “HTML instead of JSON” caused by server errors (500/503)

This error often masks a deeper issue: the endpoint is returning a server error page.

If your network response shows a 500/503 HTML page:

Check your error logs (hosting panel, server logs)
Check PHP version compatibility
Check memory limits

Related internal resources:

Step 8 — Enable WordPress debugging (to catch the real error)

If the REST request is being corrupted by a PHP warning/notice, you need visibility.

Add (or confirm) these in wp-config.php:

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);

Then reproduce the issue and check:

/wp-content/debug.log

If you see warnings/notices printing output, that can easily break JSON responses.

A common “tell” is when JavaScript reports “unexpected token” errors because the response isn’t valid JSON. (MDN Web Docs)

Step 9 — Verify your `.htaccess` (Apache) or rewrite config (Nginx)

If you’re on Apache, WordPress relies heavily on rewrite rules. If .htaccess rules aren’t being honored, REST routes and permalinks can fail.

A key factor is Apache’s AllowOverride configuration, which determines whether .htaccess rules are applied. (httpd.apache.org)

Practical signs this is the issue:

Pretty permalinks fail
/wp-json/ returns 404
Resetting permalinks doesn’t help
You recently migrated hosts or changed server config

If you’re on Nginx, it’s a server block/location rewrite config issue instead of .htaccess.

Step 10 — Check if REST API is being restricted by code

Sometimes a site has code that intentionally blocks REST API access—common on sites hardened for security or using membership/headless setups.

Places to look:

functions.php
MU plugins
Security plugin settings
Any code that filters or disables REST endpoints

If the restriction is too aggressive, the editor can’t save.

The “most likely fixes” summary (based on real-world cases)

If you want the shortest path, these solve a large percentage of cases:

Clear caches + disable CDN/WAF temporarily
Settings → Permalinks → Save Changes (flush rewrite rules) (WordPress Developer Resources)
Disable security/caching plugins and test saving
Confirm /wp-json/ returns JSON (not HTML/403/404)
Identify plugin/theme conflict and isolate it

Also: WordPress.org support threads regularly point people to REST API/Site Health checks because this error is commonly tied to REST/API communication issues. (WordPress.org)

Prevent it from happening again (best practices)

Once fixed, take these steps to reduce future breakage:

Keep updates controlled (and staged)

Update plugins/themes in batches (not 25 at once)
Use a staging site if possible
Keep a rollback plan (backups + restore)

Don’t stack multiple “force HTTPS” methods

Use one authoritative method (host-level or CDN-level), and remove duplicates.

Avoid overly aggressive security rules against wp-json

It’s okay to protect the REST API, but block editor functionality depends on it. Prefer rate limiting and targeted rules over blanket blocks.

Monitor Site Health

Get in the habit of checking Tools → Site Health after major changes, especially migrations and firewall adjustments. (WordPress Developer Resources)

Keep WordPress stable and secure

A solid security baseline reduces unexpected breakage from malware, injected code, or compromised plugins:

WordPress Security Tips

Fix it fast (when you don’t want to spend the day troubleshooting)

If your business depends on publishing and the editor won’t save, the quickest route is often to have a specialist isolate the conflict, correct rewrite/server rules, and restore clean REST API responses.

If you want WP Fix It to handle it end-to-end, use the WordPress Site Repair & Fix Service here:

WordPress Site Repair & Fix Service

And for general WordPress tips and troubleshooting resources:

(If you’re already seeing broader symptoms—like admin not loading, 500/503 errors, or critical errors—these internal guides can also help narrow it down quickly.)