Adzbyte
All Articles
DevelopmentWordPress

Fixing the REST API 401 Error After WordPress 6.x Update

Adrian Saycon
Adrian Saycon
January 3, 20261 min read
Fixing the REST API 401 Error After WordPress 6.x Update

I was running a headless WordPress setup — React frontend consuming the REST API — when a routine WordPress update broke everything. Every authenticated API request started returning 401 Unauthorized. The public endpoints still worked fine, but anything requiring authentication was dead.

The Root Cause: Application Passwords

WordPress 6.x tightened security around the REST API authentication. The issue in my case was that my server was stripping the Authorization header before WordPress could read it. This is a common Apache/Nginx misconfiguration that only becomes apparent after security changes in core.

The Apache Fix

If you are running Apache, add this to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

For Nginx, ensure your config passes the header:

fastcgi_param HTTP_AUTHORIZATION $http_authorization;

CORS Headers for Headless Setups

The second issue was CORS. My React app on a different domain was sending preflight OPTIONS requests, and WordPress was not responding to them correctly. I added a small filter in my theme:

add_action("rest_api_init", function () {
    remove_filter("rest_pre_serve_request", "rest_send_cors_headers");
    add_filter("rest_pre_serve_request", function ($value) {
        $origin = get_http_origin();
        if ($origin) {
            header("Access-Control-Allow-Origin: " . esc_url_raw($origin));
            header("Access-Control-Allow-Credentials: true");
            header("Access-Control-Allow-Headers: Authorization, Content-Type");
        }
        return $value;
    });
});

Testing the Fix

I verified the fix with a simple curl command:

curl -I -H "Authorization: Basic BASE64_CREDENTIALS" \
  https://example.com/wp-json/wp/v2/posts

Once I saw 200 OK instead of 401, I knew the issue was resolved. If you are building headless WordPress applications, always test your authentication flow after core updates.

Adrian Saycon

Written by

Adrian Saycon

A developer with a passion for emerging technologies, Adrian Saycon focuses on transforming the latest tech trends into great, functional products.

Discussion (0)

Sign in to join the discussion

No comments yet. Be the first to share your thoughts.