Could it be that you are using some security features or plugins that block the WordPress REST API on your site?
I ask this because it seems that I'm being blocked from seeing your site. I get the 403 Forbidden status. Please see the attached screenshot.
What's a 403 Forbidden error?
A 403 Forbidden error is an HTTP status code that means the server understood your request, but it refuses to fulfill it because you donāt have the necessary permissions to access the resource.
If you are unsure, please consult with your hosting support about this.
If you resolve the 403 error and the admin message about the WordPress REST API is still present, please share the access details to your site with me. I'm enabling a private message for the following reply.
Privacy and Security Policy
We have strict policies regarding privacy and access to your information. Please see: https://wpml.org/purchase/support-policy/privacy-and-security-when-providing-debug-information-for-support/ **IMPORTANT**
- - Please back up the site files and database before providing us access. --
-- If you have a staging site where the problem can be reproduced, it is better to share access to the staging site.--
Edit: The following guides may also be helpful to you.
I have not made a backup yet or provided anyone access. The person (Itamar) who replied to my support was listed as a WPML Supporter since 02/2016.
I did not want to share anything unless I understood I was sharing it with a WPML support person, not a support forum person who was just being helpful.
I noticed his time tone was Asia/Jerusalem. I believe the settings on this site are restricted to North America which would explain why they could not access the site.
I do have the following security plugin installed in my MU Plugins
<?php
/**
* Plugin Name: Lock REST (Users & Pages) + Hardening
* Description: Restrict public access to /wp/v2/users and /wp/v2/pages for unauthenticated visitors, and add common hardening (block author enumeration, hide author archives, disable XML-RPC, remove user sitemaps).
* Author: Exclaim
*/
if (!defined('ABSPATH')) { exit; }
/* ============================================================
* 1) REST: Hide "users" and "pages" routes from anonymous users
* - Removes endpoints from the REST index
* - Blocks direct hits even if another plugin re-registers them
* ============================================================ */
add_filter('rest_endpoints', function ($endpoints) {
if (!is_user_logged_in()) {
// Users collection + single
unset($endpoints['/wp/v2/users']);
unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
unset($endpoints['/wp/v2/users/me']); // belt-and-suspenders
foreach ($blocked_patterns as $pattern) {
if (preg_match($pattern, $route)) {
return new WP_Error(
'rest_forbidden',
'This endpoint requires authentication.',
['status' => 401]
);
}
}
return $response;
}, 10, 3);
/**
* Keep blocked routes out of the REST root index for anonymous users.
*/
add_filter('rest_index', function ($response) {
if (!is_user_logged_in() && isset($response->data['routes'])) {
unset($response->data['routes']['/wp/v2/users']);
unset($response->data['routes']['/wp/v2/users/(?P<id>[\d]+)']);
unset($response->data['routes']['/wp/v2/users/me']);
unset($response->data['routes']['/wp/v2/pages']);
unset($response->data['routes']['/wp/v2/pages/(?P<id>[\d]+)']);
}
return $response;
});
/**
* Block ?author=### enumeration for anonymous users.
*/
add_action('template_redirect', function () {
if (!is_user_logged_in() && isset($_GET['author'])) {
wp_die(__('Not allowed.', 'exclaim'), '', ['response' => 403]);
}
});
/**
* Hide author archives for anonymous users (avoid leaking display names).
*/
add_action('template_redirect', function () {
if (!is_user_logged_in() && is_author()) {
global $wp_query;
$wp_query->set_404();
status_header(404);
nocache_headers();
if ($template = get_query_template('404')) {
include $template;
} else {
// Fallback simple 404
echo '<!doctype html><meta charset="utf-8"><title>404 Not Found</title><h1>404 Not Found</h1>';
}
exit;
}
});
/* ============================================================
* 3) Optional hardening: disable XML-RPC (commonly unused)
* Comment out the next line if you rely on XML-RPC.
* ============================================================ */
add_filter('xmlrpc_enabled', '__return_false');
/* ============================================================
* 4) Sitemaps: remove the public "users" sitemap
* (prevents search engines from discovering author pages)
* ============================================================ */
Indeed, I (Itamar) have been a WPML Supporter since 02/2016.
Only WPML supporters can enable a private message to share access details.
The details in this message are visible only to you and our support team.
I'm able to access your site with a VPN connection set to the USA East region.
It seems that the problem with the WordPress REST API is due to the Lock REST plugin you are using. Can you please deactivate it and see if it solved the problem?
I've been away from my office for a few days. Thank you for the reply. This morning as went to investigate I saw that my sites that all had this msg and had the Lock REST plugin no longer have the "Your site doesn't meet WPML's minimum requirements." msg.
I've done nothing as I was out of the office and waiting on your reply. All my WPML related plugins have updated. My sites are hosted on WP Engine with a Smart Plugin Manager that assists with plugin updates. These plugins previously were not updating but now they are. Any idea why this resolved itself?
Thank you for the update. Iām glad to hear that the message is no longer showing.
It looks like the issue was caused by some of the WPML plugins not being fully updated at the time. Once your Smart Plugin Manager was able to update them, the system requirements check passed successfully, and the warning disappeared.
