Author: Jen Swisher

If you’re planning to become a WordPress developer, you’ll come across something called ‘REST API.’ This is an interface that expands the functionality of WordPress and enables you to connect the platform with other applications. Some developers find it really helpful as part of their process — especially if they’re looking to implement advanced functionality. 

Fortunately, you don’t need to be an experienced developer to gain expertise with the WordPress REST API. Once you have a solid understanding of the interface and how it works, you can easily implement it into your web-building projects.

In this post, we’ll provide an in-depth guide to the WordPress REST API. We’ll discuss what it is, how to use it, and how to protect it against threats. We’ll also show you how to fix common REST API errors, how to use the interface with other frameworks, and how it compares to other WordPress API solutions.

What is the WordPress REST API?

To understand the WordPress REST API, we’ll need to break down its various components. Let’s start with an introduction to APIs.

What is an API?

An application programming interface (API) is a program that enables two applications to communicate with one another. It serves as an intermediary between two pieces of software, facilitating a seamless collaboration. 

For example, if you wanted to display a Google product on your site, like maps, you’d need to use the Google Maps API.

This enables your WordPress site to communicate with Google Maps, so it can pull all the relevant data and features needed to display those maps. 

Like Google, other companies have APIs and provide them to web developers. These products can be very appealing, as they eliminate the need to code a feature (like a map) from scratch. Instead, you can use third-party software and connect it to your site via API.

What is REST?

Representational State Transfer (REST) is a set of guidelines that developers must follow when creating APIs. Therefore, a REST API is an interface that was built with these standards in mind.

Typically, a REST API follows these principles:

• Client-server separation: The API should enable the client (or website) and the server to remain separate from one another and continue functioning independently of each other.
• Caching: REST APIs should use cacheable data, when possible, to improve performance and let the website know which information can be cached.
• Statelessness: REST APIs can’t store any information about the website they’re connected to on their server, and only the information needed to process a request should be provided.
• A uniform interface: Requests for resources should be processed in the same way, regardless of their origin. 
• Layered architecture: REST APIs are built around a layered system, with each layer fulfilling a specific role and working separately from others. This makes the API more secure and easier to update.

Since a REST API meets these standards, it can provide more security and efficiency. 

What does the WordPress REST API do?

WordPress has its own REST API. This enables the platform to communicate with almost every other web application and website, regardless of the programming language they use.  

With this API, a third-party app will be able to access your WordPress database and pull data from it. In fact, most WordPress plugins and themes use the platform’s REST API to function properly. 

The WordPress REST API was released as part of the core software in version 4.7. Before then, it was only available as a plugin.

While the WordPress software is built with PHP, the REST API sends and receives data as JSON (JavaScript Object Notation) objects, which opens up new possibilities for developers.

What are the most common REST API commands?

REST APIs are designed to receive and respond to particular requests via HTML commands. 

The most common commands you’ll use are:

• GET: You can use this command to fetch a particular resource from the server, like a post or piece of data. 
• POST: This command lets you modify a resource on the server by adding code.
• PUT: With this command, you can edit a resource that’s already on the server.
• DELETE: This command removes a resource from the server.

These commands are followed by a line that gives more information about the request. These are known as endpoints.

For instance, if you wanted to retrieve a list of published posts on your site, you would use the following endpoint:

GET http://mysite.com/wp-json/wp/v2/posts/?status=published

Let’s look at another example. If you want to add a new page, you would use the following command:

POST http://mysite.com/wp-json/wp/v2/posts/page

There are many things you can do with these four commands. You can find a list of endpoints on the WordPress Developer Resources page. 

Real-world examples of the WordPress REST API

Now that you have a basic understanding of how the WordPress REST API works, let’s look at some real-life examples, starting with WordPress.com.

The WordPress.com admin dashboard (called “Calypso”) is built entirely in JavaScript through the REST API.

Calypso is a web and desktop app that enables users to add new content, edit existing posts, and more. It uses the REST API to access the data on your WordPress.com site. 

Another example is the Block Editor. In self-hosted WordPress, the Block Editor uses the REST API to interact with your database and create blocks.

Many online publications like USA Today also use the WordPress REST API. This enables them to automatically publish articles on other news apps, like Apple News. 

How to enable and disable the REST API in WordPress

You don’t need to do anything to enable the REST API — it comes built into WordPress. Later in the post, we’ll show you how to access it.

While the REST API is a powerful tool for building apps with WordPress, it can make your site susceptible to Distributed Denial-of-Service (DDoS) attacks and malware. Plus, hackers might be able to access your data through the connection with other apps. 

Disabling the WordPress REST API is not recommended. That’s because doing so can lead to issues with the Block Editor and any plugins on your site.

If you still want to go ahead and disable it, the easiest way to do this is with a plugin like WPCode.

Once you install and activate the plugin on your site, navigate to Code Snippets → Library in your WordPress dashboard.

Here, look for an option called Disable WordPress REST API. When you find it, hover over it and select Use snippet.

This will launch a page with a preview of the code.

If you scroll down to the Insertion box, you can select the Auto-Insert option so that the plugin will automatically apply this code to your site.

Then, scroll back to the top and move the toggle switch from Inactive to Active. Finally, click on Update to make these changes live. 

How to use the WordPress REST API

Now, let’s look at how to use the WordPress REST API. We’ve already covered some examples above, but in this section we’ll show you exactly how to access and fetch data. 

Step 1: Access the REST API

If you want to fetch data from a live WordPress site, you can access the REST API straight from your browser. All you have to do is enter the following address into the search bar (substituting in your own domain name and extension):

mysite.com/wp-json/wp/v2

This will bring up the JSON file of your WordPress site.

You can then add elements to this URL to access specific data, as we’ll show you in the next step.

Step 2: Make requests to the REST API

As we mentioned earlier, you can use endpoints to access particular data on your site. If you want to retrieve a list of all your posts, simply add the endpoint /posts to your address:

mysite.com/wp-json/wp/v2/posts 

If you want to retrieve a specific post, you can just add its ID (you’ll find this on the Posts page in your WordPress dashboard):

mysite.com/wp-json/wp/v2/posts/4567

Meanwhile, if you want to fetch data about your users, you would use the following request:

mysite.com/wp-json/wp/v2/users

These are just simple examples, but there’s a lot more you can do. For instance, you can fetch posts that contain specific terms, change a post’s status from “draft” to “publish,” and more. 

Step 3: Authenticate your requests

The WordPress REST API enables you to fetch any type of data on your website, but not all of it is publicly available. In some cases, you’ll need to authenticate your request. 

To make authenticated requests to the WordPress REST API, you’ll first need to obtain an API key. To do this, navigate to Users → Profile in your WordPress dashboard.

Then, scroll down to the Application Passwords section. Here, you’ll need to enter a name for your password (for reference) and click on Add New Application Password.

This will generate an API key for you, which you’ll need to use in your requests. For instance, if your API key is “1234567890,” you can include it in an Authorization header like this:

https://mysite.com/wp-json/wp/v2/posts?Authorization=Bearer1234567890

Remember to replace the code 1234567890 with the API key you’ve copied and remove any spaces. 

You can also retrieve a list of posts written by a particular author, with their user ID. You can find their ID by going to the Users section in your WordPress dashboard and clicking on the author’s name. The ID will be displayed in the URL of their author page.

Let’s say an author’s name is “Joe” and their ID is “123.” In this scenario, you can use the following URL to retrieve a list of all posts written by Joe:

https://mysite.com/wp-json/wp/v2/posts?author=123&Authorization=Bearer1234567890

If you can’t find the user’s ID, their profile might have been modified in such a way that the ID is no longer displayed. In this case, you can retrieve a list of all posts written by the user using their login name or email address instead of the ID.

To do this, you’ll have to use the “slug” parameter instead of the “author” parameter in your request:

https://mysite.com/wp-json/wp/v2/posts?slug=joe&Authorization=Bearer1234567890

The “slug” parameter enables you to specify the user’s login name or email address. The WordPress REST API will return a list of all posts written by the user.

When to use the WordPress REST API

The WordPress REST API can be used for a wide range of projects. Here are a few examples:

• Integrating a WordPress site with a mobile app. If you’re a developer, you can use the REST API to retrieve and edit data on a WordPress site from a mobile app. This enables you to build custom apps that interact with your site.
• Creating custom integrations. Using the WordPress REST API, you can create custom integrations with other software like CRM tools.
• Building custom scripts. You can use the REST API to automate certain tasks on your WordPress site, like scheduling posts or updating user profiles.

As you can see, the REST API enables you to integrate WordPress with apps or sites built on other platforms. 

When not to use the WordPress REST API

While the WordPress REST API can be a powerful tool, it may not always be the right one for your project. Let’s look at a few reasons why you might not want to use it. 

As you may recall, the WordPress REST API is built with JavaScript. Therefore, if you’re developing an app that doesn’t support JavaScript, it won’t function properly if you’re using the REST API. 

Additionally, apps built on JavaScript may not be very accessible. For instance, the way it renders dynamic content may be incompatible with screen readers. As a result, it could make your content inaccessible to users with visual impairments.

How to secure the WordPress REST API from exploits

As mentioned earlier, using the WordPress REST API can make your site vulnerable to threats. The API acts as a bridge between two platforms, and hackers may find a way into your website through this connection.

As such, before you start using the WordPress REST API, it’s important to create a backup of your WordPress site. This way, if something goes wrong, you can restore a recent version of your content. 

Additionally, you’ll want to make sure that you have sufficient security measures in place. This means using a tool like Jetpack Protect.

This plugin comes packed with security features, including malware scanning, vulnerability scanning, and a web application firewall (WAF).

Furthermore, it’s a good idea to use the REST API on a WordPress staging site before making your changes live. This way, if you accidentally break your website, it won’t affect the user experience on the front end. 

How to fix common REST API errors and issues

You may run into some errors when using the WordPress REST API. So, let’s look at some of the most common issues and the steps you can take to resolve them.

Slow response times and timeouts

When calling the WordPress REST API, you may encounter slow response times and timeouts. These issues are usually caused by the following factors:

• Insufficient server resources. Your server might not have enough resources to handle requests made through the REST API. In this case, you’ll need to upgrade to a more powerful WordPress hosting plan.
• Plugin or theme conflicts. WordPress plugins and themes can sometimes conflict with the REST API. When this happens, try disabling all plugins and switching to a default theme to see if this resolves the issue. If it does, you can reactivate your plugins one at a time to identify the culprit.
• Size of data. Large data transfers during API calls can cause timeouts. To prevent this, you can try reducing the number of items displayed per page (we’ll show you how to do this later in the post).
• Database issues. If your WordPress database is not optimized, it can lead to slow response times and timeouts when calling the REST API. You can optimize it by removing unnecessary data and installing an optimization plugin.

Additionally, you may want to track the performance of your API with a tool like Google Cloud’s operations suite (formerly Stackdriver) and Microsoft’s Application Insights. These tools can provide insight into the performance of the WordPress REST API and help you identify the causes of slow response times.

403 Forbidden error when calling the REST API

The 403 Forbidden error is an HTTP status code indicating that the client is not authorized to access the requested resource. Let’s look at some common causes of this error and potential solutions:

• Incorrect API Key. If the request requires an API key, make sure that the key you’re using is valid and that it’s being passed in the request headers correctly.
• Invalid nonce. A ‘nonce’ is a random number used once to prevent request forgery. If it’s invalid, it may result in a 403 forbidden error.
• User permissions. You’ll also want to make sure that you have the necessary permissions to access a specific API endpoint. If you’re not the owner of the website, you may need to ask the administrator to give you the right permissions. 
• Security plugins. Security plugins can block an API call because it sees it as a security threat. You can whitelist the API endpoint in your plugin settings to resolve this type of issue.
• Firewall. You might be using a firewall that’s blocking the API request. Make sure that the firewall is set up correctly, or try to disable it while using the API.
• Server configuration. Some servers are not configured to handle certain API calls, so you might want to reach out to your hosting provider for assistance.

You can also use your browser’s developer tools to inspect the network requests and request headers. If you use Chrome, simply press Ctrl+Shift+C to open DevTools.  

Additionally, you can check your server logs for more information about the error. You should be able to access them through your hosting account. If not, you can ask your hosting provider for help. 

REST API encountered an unexpected result

The “REST API encountered an unexpected result” error is a common issue. It’s typically caused by the following factors:

• Permissions. You might not have the right permissions to access the requested resource. If that’s the case, you’ll need to contact the site’s administrator. 
• URL configuration issue. This error can occur if the API endpoint URL is configured incorrectly. Double-check the URL to ensure that it is correct and that all necessary query parameters are included.
• Incorrect command. You may be using the wrong command (e.g. GET, POST, PUT, DELETE) for the request. Check the API documentation to make sure that you’re using the correct command for the specific endpoint.
• Incorrect request format. Make sure that you’re using the right format in your request. In the WordPress REST API, data must be sent as JSON.
• Wrong endpoint. You might be trying to call an endpoint that doesn’t exist. In this scenario, double-check the endpoint URL to make sure it’s correct.
• Server-side issues. Your server might be experiencing issues. This is more common with shared hosting plans. If this happens to you, it may be time to upgrade to a server with more resources.

You may also want to disable your plugins to see if the issue is resolved. As mentioned earlier, some tools may cause compatibility issues with the WordPress REST API. 

rest_api_init not working

The “rest_api_init not working” error is another common WordPress REST API error. It’s usually caused by plugin and theme conflicts, as well as limited server resources.

Still, there are other factors that can lead to the WordPress REST API not working, like:

• Custom REST API endpoints. If you’re making requests with custom endpoints, make sure that you’re using the correct hooks and functions.
• .htaccess file. You may need to check your .htaccess file to ensure that it’s set up correctly.
• CORS error. If you’re trying to make Cross-Origin Requests (CORS) and the WordPress REST API is not working, it might be that the server is not configured to accept them. You may want to contact your hosting provider to see if the server accepts CORS.

Additionally, you could be using an old WordPress installation that doesn’t support the API. If so, it’s important that you upgrade to the latest version.

Basic authentication not working

The “Basic authentication not working” error may occur when trying to call the WordPress REST API using Basic Authentication. Basic Authentication is a simple authentication scheme built into the HTTP protocol. It utilizes a username and password to authenticate someone. 

Here are some common causes of this error (and how to resolve them):

• Incorrect credentials. Check the username and password in the request headers to ensure that they’re correct.
• Secure Sockets Layer (SSL) issue. Make sure that you have a valid SSL certificate installed and that it’s configured correctly. If it isn’t, take a look at our step-by-step guide on how to get a free and valid SSL certificate.
• HTTP to HTTPS redirects. Some websites are configured to redirect HTTP requests to HTTPS. If the browser is trying to authenticate on HTTP, you might run into this error. Therefore, you’ll want to make sure that you’re running a request on an HTTPS endpoint.

Like other REST API issues, this error can also be caused by theme and plugin conflicts. Once again, you’ll want to switch to a default theme and deactivate your plugins to troubleshoot the issue.

If that doesn’t help, you might want to disable your firewall temporarily. This could be blocking your authentication request. 

If you’re making a CORS, your server may not be configured to accept them. It’s worth checking with your hosting provider to see if there’s anything they can do on their end. 

Finally, if you’re not the admin of the site, you may not have the correct permissions or role to complete the request. In this case, you’ll need to reach out to the owner of the website. 

Advanced use cases of the REST API

Thanks to the WordPress REST API, you can retrieve data from your site using popular frameworks and other programming languages. Let’s take a look at a few examples. 

How to use the WordPress REST API with React

React is a popular JavaScript library for building user interfaces. You can use the Node-WPAPI client to make HTTP requests to the WordPress REST API. 

For instance, to retrieve a list of posts on your WordPress site, you would need to enter the following into Node-WPAPI:

import WPAPI from 'wpapi';

const wp = new WPAPI({ endpoint: 'http://example.com/wp-json' });

wp.posts().then(posts => {

  console.log(posts);

});

For more information on using the WordPress REST API with React, you can check out the Node-WPAPI documentation.

How to use the WP REST API with Angular

Angular is a JavaScript framework for developing web applications. To use it with the WordPress REST API, you’ll need to use the @angular/common/http module.

For instance, you can input the following code to retrieve a list of posts:

import { HttpClient } from '@angular/common/http';

@Injectable()

export class PostService {

  constructor(private http: HttpClient) {}

  getPosts(): Observable<any> {

    return this.http.get('http://mysite.com/wp-json/wp/v2/posts');

  }

}

You can check out the Angular documentation for more information on using its HttpClient to make requests to the WordPress REST API. 

How to use the WordPress REST API with Python

You can also use the WordPress REST API with Python. This is a popular programming language that can be used to build web applications and other software. 

To get started, you’ll need to use the Requests library. If you wanted to fetch a list of your WordPress posts, you would enter the following:

import requests

response = requests.get('http://example.com/wp-json/wp/v2/posts')

posts = response.json()

print(posts)

You can read the Requests library documentation for more detailed instructions.  

How does the REST API compare to other WordPress API solutions?

You may be wondering how the REST API differs from other WordPress API solutions. To give you an idea, we’re going to compare it to some of the most popular alternatives. 

WordPress REST API vs. AJAX

The WordPress REST API provides an efficient way to access WordPress data. It enables developers to build custom applications and integrations with WordPress.

Meanwhile, the WordPress AJAX API is an older method of accessing WordPress data. It was introduced in WordPress 2.0 and enables developers to make asynchronous requests from the front end of the site, using JavaScript. 

The WordPress AJAX API can be a bit restrictive in terms of functionality, so it’s not recommended for use in complex projects.

WordPress REST API vs. WPGraphQL

WPGraphQL is a GraphQL implementation for WordPress that provides an alternate way to access WordPress data. GraphQL is a query language for your API. It enables clients to request exactly the data they need, and nothing more. 

Unlike the WordPress REST API, WPGraphQL requires a separate application password to be generated for each user who needs access. Plus, it can be a bit slow in delivering content because it uses a more complex query language.

WordPress REST API vs. XML-RPC

Introduced in WordPress 1.5, the WordPress XML-RPC API enables you to make remote requests to WordPress using the XML-RPC protocol. 

XML-RPC is simple and lightweight, and can therefore deliver results faster. The problem is, that like Ajax, it has limited functionality compared to the WordPress REST API. 

Frequently asked questions about the WordPress REST API

In this guide, we’ve covered most of the essentials when it comes to the WordPress REST API. But, just in case, let’s look at a few frequently asked questions regarding this powerful tool. 

Does the WordPress REST API have a return limit?

By default, the WordPress REST API has a maximum return limit of 100 items per page. That means, if you make a request to an endpoint that returns a list of items (like posts, pages, or users), the API will only display a maximum of 100 items in the response. 

Fortunately, you can use the “per_page” parameter to increase the limit to a maximum of 500 items per page.

For example, if you want 200 items per page, you can use the following:

https://mysite.com/wp-json/wp/v2/posts?per_page=200

Keep in mind that you can also decrease the number of items displayed per page.

Can I use the REST API with WooCommerce?

WooCommerce has its own REST API. The WooCommerce REST API enables you to access and modify data from your WooCommerce store. This includes information on products, orders, and customers. Plus, you can use the WooCommerce REST API to integrate WooCommerce with other ecommerce platforms.

Get started with the WordPress REST API

The WordPress REST API enables you to integrate your site with other apps and third-party tools. Web developers can use it to fetch data for single-page applications, connect WordPress to a mobile app, and much more.

Additionally, you can use the WordPress REST API with other frameworks and programming languages, including React, Angular, and Python. Although the WordPress REST API is a powerful and dependable tool, it’s still important to back up your site and use a security tool to prevent attacks through these connections.

With Jetpack Protect, you can secure your WordPress site against malware and hackers, and use the WordPress REST API in a safer environment. 

Most websites — including those using WordPress — deal with spam on a daily basis. Even if you just created your first site a few weeks ago, chances are you’re already facing the reality of spam comments, queries, account sign-ups, and more. 

CAPTCHAs can effectively mitigate unwanted spam, especially if it’s coming from your contact forms. But while one can help alleviate problems with spam, you’ll likely encounter the unintended consequence of a more difficult experience for your real visitors.  

That’s why many sites have chosen to use Akismet — a more streamlined anti-spam solution for WordPress — instead. 

So, which option is right for your site?

In this article, we’ll start by talking about the downsides and alternatives to using CAPTCHAs, so you get the full picture. Then, we’ll show you how to protect your WordPress contact forms both with and without CAPTCHAs.

What is a CAPTCHA? 

CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” Phew!

The earliest versions presented users with distorted text they’d have to decipher. Because it was difficult to complete, it could fairly accurately tell humans and computers apart. 

What are the downsides of using a CAPTCHA?

To put it simply, people hate CAPTCHAs. That’s not a matter of opinion, either. A Stanford study shows that only 71 percent of users attempt to solve CAPTCHAs when they run into them. The rest of them outright leave the page. 

Another study from Moz confirms those numbers. It shows that, on average, 30 percent of users leave pages with CAPTCHAs, either while trying to solve them or before trying. The same study states that simply adding a CAPTCHA can lower your site’s conversion rates by 3.2 percent.

If you’re relatively tech-savvy, you probably don’t struggle at all with solving CAPTCHAs. But, a lot of the users that decide to leave a page when they see one do so because CAPTCHAs are designed to be difficult to solve.

According to Stanford, solving a video CAPTCHA can take up to ten seconds on average and audio CAPTCHAs have a staggering failure rate of 50 percent. Even regular image CAPTCHAs can be difficult to solve since they intentionally obfuscate letters and symbols. Some pages even ask you to resolve multiple CAPTCHAs before letting you proceed.

To be fair, CAPTCHAs work. They provide a functional solution to a problem that most websites struggle to deal with. 

The problem is, using a CAPTCHA shifts the responsibility to users. It’s like asking store customers to prove they’re not thieves before they can make a purchase. Furthermore, it’s not a good option when it comes to accessibility standards. That’s because it might alienate users with vision or hearing impairments. Since there are indeed alternatives to CAPTCHAs, you might want to consider which option to use before implementing them.

What are the different kinds of CAPTCHAs?

There are lots of types of CAPTCHAs. Most websites use reCAPTCHA, which is a free solution (for up to 1,000,000 assessments per month) from Google. When you run into a contact form that uses reCAPTCHA, you’ll need to check a box that says, “I am not a robot.”

If the service detects any suspicious movement or activity with your connection, you’ll need to solve an image puzzle. In most cases, the puzzle will ask you to identify multiple similar elements from a cluster of images. Depending on the case, you might need to solve multiple image puzzles before submitting a form.

Aside from reCAPTCHA, you might also run into audio or video CAPTCHAs. These tend to be worse (from a user standpoint) because you’re required to watch and/or listen in full before you can solve the puzzle. In a lot of cases, this might not even be possible if you’re somewhere where you can’t listen to audio, don’t have a pair of headphones on hand, or have an impairment.

The ideal CAPTCHA is one that requires very little work from users while still providing a solid level of protection from spam. It should also be accessible to as many people as possible. Some CAPTCHA alternatives, like Akismet, can provide this.

What’s the best CAPTCHA alternative?

If you want to eliminate spam from your WordPress site, but don’t want to push away visitors with complicated, annoying tests, the best CAPTCHA alternative is Akismet. 

Meet Akismet: The non-intrusive spam blocker

Akismet is one of the most popular WordPress tools on the market. It’s designed to help you prevent spam without adding complications for visitors, by identifying spam and malicious comments submitted through your site’s forms. 

It’s ‘non-intrusive’ because Akismet can protect your website from spam without using CAPTCHAs. The service analyzes every comment and form submission on your website to see if it matches known spam or malicious IP addresses, or if it follows patterns that raise red flags (like linking to unrelated third-party sites).

You can configure Akismet to automatically delete these submissions or let you review them to check if they’re from real visitors. In either case, visitors never see a CAPTCHA when you’re using Akismet. Your site remains protected, and the user experience improves drastically.

Everything happens in the background. There’s nothing special for visitors to fill out. No puzzle, no audio to listen to, no stop signs to identify. Real visitors can go on their way none-the-wiser. Spam submissions are then identified and deleted or sorted for you to review later. 

How to add Akismet to a WordPress contact form

Adding Akismet to WordPress contact forms is easy. You can do it in just a few steps. Still, the process can vary slightly depending on the type of contact form or plugin you’re using, so let’s discuss how it works!

Step 1: Install and activate Akismet

Non-commercial sites can use Akismet for free to stop spam comments and nefarious contact form submissions. To get started, you’ll need to install and activate the plugin. 

Go to the Plugins tab in your WordPress dashboard. Then, click on Add New and use the search tool to look for the Akismet plugin. In a lot of cases, it will be an option among the top ‘featured’ plugins.

When you find the plugin, click on Install → Activate. Once the plugin is active, go to Settings → Akismet Anti-Spam. Under the Settings section, you’ll see a field where you need to enter an API key.

To get this key, go to the Akismet website and sign up for an account. After you sign up, you’ll get access to the Akismet dashboard. Go to the My Account tab and select the Add Subscription option.

On the next page, you’ll be able to choose which plan you want to use. The Personal plan uses a pay-what-you-want model, so you can sign up for free and use it for a single website. Keep in mind that you can only sign up for this free plan if you don’t run ads, sell products, or promote a business through your website.

After confirming your subscription, you’ll get access to an API key, which you can see in the My Account tab. Copy the key and return to the Settings → Akismet Anti-Spam screen in the WordPress dashboard. Paste it in the API Key field.

Click on Save Changes and that’s it. By default, Akismet will block comment spam and send it to a queue where you can review submissions in the dashboard. There’s an extra step involved if you want to use Akismet with a contact form.

Step 2: Integrate Akismet with your contact form

WordPress doesn’t offer contact form functionality out-of-the-box. That means most users rely on plugins to implement these types of forms on their websites. This step will depend on what contact form plugin you’re using. 

Akismet works with most popular WordPress contact form plugins. Some plugins, like Formidable Forms and WPForms include built-in support for Akismet. With either plugin, you just need to enable the Akismet spam protection setting for each individual form.

Other plugins, like Gravity Forms, require you to set up Akismet add-ons to add spam protection to their forms. Finally, there are some tools, like Contact Form 7 and Ninja Forms which require you to add code snippets to your forms to enable support for Akismet. Fortunately, all three of these methods are pretty straightforward.

For the easiest solution, consider using Jetpack’s WordPress contact form functionality. 

Read more: How to use Akismet with WordPress contact forms. 

Step 3: Configure Akismet’s anti-spam settings

Akismet is pretty much a plug-and-play tool, which can be appealing if you’re looking for something quick and easy. In any case, it also gives you control over how you want to handle contact form spam. 

By default, the plugin sends comments it flags as spam to a special ‘queue’ where you can review them (in the Comments section of the dashboard). Alternatively, you can configure Akismet to discard spam completely, so you don’t have to deal with it. 

To do this, go to Settings → Akismet Anti-Spam and search for the Settings section. The option you’re looking for appears under Strictness.

Akismet does a great job of separating spam messages from real ones. That means you can choose to discard contact form spam without worrying too much about it. If you want to preserve every message to play it safe, opt for the Always put spam in the Spam folder for review setting.

Keep in mind that Akismet only stores spam comments for 15 days. After that, it deletes them automatically. This means you’ll want to review the queue every week or every two weeks at the most.

How to add CAPTCHA to a WordPress contact form

The process of adding CAPTCHAs to WordPress contact forms will depend on what service you’re using. Since reCAPTCHA is the most popular CAPTCHA solution on the web, we’ll show you how to integrate it with a WordPress contact form.

Step 1: Sign up for a reCAPTCHA account

If you already have a Google account, you can access reCAPTCHA right away. Simply visit Google.com/reCAPTCHA and select the v3 Admin Console option in the primary navigation menu.

Click on the plus sign icon in the reCAPTCHA dashboard and enter a label for your website. This can be any unique identifier. Then, choose what type of reCAPTCHA you want to use for your site. 

The most common type of CAPTCHA is reCAPTCHA v2, which forces users to solve a challenge or a puzzle to make a submission.

Next up, look for the Domains field. Enter the domain of the website where you want to use reCAPTCHA.

After entering the domain, you’ll need to review reCAPTCHA’s terms of service, agree to them if you do, and submit the form. Then, reCAPTCHA will provide you with a site and a secret key. You’ll need both for the following steps, so keep the tab open or copy and paste them somewhere safe.

Step 2: Find a plugin that’s compatible with reCAPTCHA

There are a handful of WordPress contact form plugins that are compatible with reCAPTCHA. But, not all of them support it out-of-the-box. Some plugins will simply need an add-on, but a lot of them require you to add custom code directly to individual contact forms in order to display challenges.

What’s more, reCAPTCHA doesn’t offer documentation showing which WordPress plugins are compatible with it. However, the most popular contact form plugins will likely have an integration method.

If you’re not sure whether the plugin you’re using is compatible with reCAPTCHA, you should check its documentation. If you discover that it’s compatible, you should be able to find instructions on how to implement the anti-spam system with your contact forms.

Frequently asked questions about CAPTCHA and WordPress forms

If you have any questions left about CAPTCHAs and how they work, this section will answer them. Let’s start by reviewing what CAPTCHAs are.

What is CAPTCHA?

A CAPTCHA is a kind of test designed for users to prove that they’re humans and not bots. This is necessary because most websites with comment sections or contact forms have to deal with a lot of bots and spammers.

These bots tend to leave spam comments pointing toward other websites or try to find vulnerabilities in forms. CAPTCHAs help stop them since they require some level of human ingenuity to solve. Typically, CAPTCHAs involve image puzzles, but they can also use video or audio.

What is reCAPTCHA?

reCAPTCHA is a CAPTCHA tool offered by Google. It functions as a ‘freemium’ service that provides up to 1,000,000 assessments per month in as many forms as you need. 

If you implement reCAPTCHA, visitors need to check a box before submitting a form to confirm they are human. The service may request additional confirmation in the form of visual tests if it detects any anomalies.

What is contact form spam?

Spam is everywhere online, from comment sections to contact forms. Every time you create a form, you open another venue for spam. There are a lot of bots and people dedicated to using forms to submit spam, ranging from promoting their own content to sharing links to malicious sites.

Contact form spam is any submission that’s not designed to fulfill the purpose of the form but to bypass it or to trick you into taking an action with negative consequences. This type of spam is typically easy to spot, but dealing with it can take up a lot of time you could otherwise spend responding to legitimate queries.

Is CAPTCHA the best solution for contact form spam?

CAPTCHAs are an effective way to reduce contact form and other types of spam. But, research shows that users react very negatively to CAPTCHAs. On average, 30 percent of users leave a page when they see a CAPTCHA.

Although CAPTCHAs work, you need to decide whether they’re worth the loss of legitimate visitors and potential conversions. Moreover, there are alternatives to CAPTCHAs that are less intrusive, like Akismet. Alternative anti-spam tools that don’t force visitors to solve puzzles will offer a much better experience than CAPTCHAs.

Akismet vs CAPTCHA: Which one should I choose?

The answer to this question depends on what type of website you’re running and the user experience you want to offer. For ecommerce sites, the loss in visitors and conversions that CAPTCHAs often cause can result in a significant loss of revenue.

For contact forms specifically, using regular CAPTCHAs means you’ll lose out on some potential queries. Solutions like Akismet are less intrusive and just as effective. If you’re using WordPress, implementing Akismet is remarkably simple, which makes it a better solution than CAPTCHAs.

Will Akismet work with my contact form plugin?

Akismet works with most WordPress contact form plugins (at least the well-known options). Some plugins offer out-of-the-box compatibility with Akismet whereas others require you to install add-ons. For some plugins, you may need to add custom code to your forms, but the process is usually very simple.

How many WordPress websites trust Akismet?

Akismet is one of the most popular WordPress plugins in the world, bar none. There are over five million active installations of Akismet at the moment, and that number keeps rising.

In fact, many web hosts offer Akismet as one of a handful of plugins that come pre-installed with their WordPress setups. That’s because using Akismet from the get-go can help you reduce the level of spam you deal with and, thus, secure your website.

If you want to implement an anti-spam solution that doesn’t require you to force visitors to solve puzzles, Akismet is the way to go. Millions of users already trust Akismet to protect their sites, and it’s free for non-commercial sites. That’s why we listed it as one of the must-have plugins for WordPress sites.

Use Akismet to prevent spam in WordPress

If you have a website with forms, you probably need to implement some sort of spam protection. For a long time, CAPTCHAs have been the industry go-to. They’re relatively easy to implement, and they get the job done. Still, it’s unwise to ignore the negative effect they have on the user experience. Simply put, people do not like CAPTCHAs.

For the best spam protection without annoying site visitors, you should consider an alternative like Akismet. It’s cost-effective and simple to get started.

Want to keep your customers happy while also protecting your WordPress site from spammers and bots? Sign up for Akismet today!

Although WordPress themes are typically well-coded, they need regular updates to patch security vulnerabilities and introduce new features. But if you’ve made a lot of customizations to your theme, you might worry that updating it will cause you to lose all of your hard work.

Fortunately, there are a few easy ways to update your WordPress theme without losing anything. Backing up your site, using a child theme, and testing any changes in a staging environment can help you preserve your settings. Then, you can easily update the theme from your WordPress dashboard, cPanel, or using File Transfer Protocol (FTP).

In today’s guide, we’ll explore the importance of updating your WordPress theme. Then, we’ll explain the best methods to do this while maintaining any theme customizations. Let’s get to work!

Why you may need to update your WordPress theme

Updating your WordPress theme is an essential task. It can enhance your site’s security, introduce new features, and help things run more smoothly. Let’s start by discussing WordPress security. 

Security

The most important reason to update your theme is for website safety. Updates may include security patches that reduce vulnerabilities on your site. If you stick with the older version, you could expose yourself to threats. Because WordPress themes are often open source, anyone could examine your theme’s code and search for possible weak points. 

Any known security issues will generally be published in the theme’s support forums and changelogs. Therefore, hackers can use this information to identify problems and break into your site.

In 2021, critical security vulnerabilities were identified in more than 50 WordPress themes. These vulnerabilities exposed users to various attacks, including Cross-Site Scripting (XSS), Remote Code Execution (RCE), and SQL injections. 

That’s not to say that WordPress themes are inherently unsafe. Developers continually work on the software to improve and protect it. 

Keeping your theme up-to-date can go a long way towards securing your site. It’s also important that you download themes from reputable sources, and only choose ones that have a number of positive reviews and are compatible with the latest version of WordPress core. The WordPress.org theme repository, for example, is chock full of excellent, free options that are heavily reviewed against WordPress’ coding best practices.

New features

From a design perspective, updating your theme can unlock new settings and built-in configuration options. For example, an update might include new blocks or block patterns that you can use across your site. 

Taking advantage of built-in features means you won’t need to rely as much on third-party plugins and custom CSS. So, you can design the site you want with less time and expense.

Compatibility

Finally, themes are often updated for compatibility with WordPress core. Since new versions of core are typically released two or three times a year, theme developers will test their themes against WordPress and update them accordingly.

This ensures that the software won’t cause bugs, slow down your site, or even break some features. As such, keeping your theme up to date is essential if you want your website to perform at its best. 

What to do before updating your WordPress theme

If done incorrectly, updating your theme can mean losing hours of hard work and design customizations. Fortunately, there are some precautionary steps you can take to safeguard your edits. 

Back up your site

Backing up your website is a general best practice. If something goes wrong during an update (or any other time), you can simply restore an older version of your site while you troubleshoot and resolve the issue. 

Fortunately, it’s very easy to create copies of your site with Jetpack VaultPress Backup.

Jetpack VaultPress Backup works in real-time, saving every change you make as it happens. The backup is stored off-site, so even if your site goes completely down, you can access and restore it right away. 

Plus, Jetpack has a WordPress activity log that tracks every action taken, so you can quickly identify the point to which you want to restore.  

To restore your WordPress website to an earlier version, simply navigate to Jetpack → Backup in your WordPress.com account. Then, you can click through the different days and select Restore to this point for the backup you’d like to use.

Or, you can choose an event in your activity log — like a theme update — and restore to just before that occurred.

Make sure theme customizations are in a child theme

If you want to edit and customize your WordPress theme, you’ll need to create a WordPress child theme first. The “child” inherits the configuration files, templates, and stylesheets of its “parent,” but WordPress will treat it as an independent theme.

Any changes you make to the child won’t affect the parent. Plus, updating the parent theme will apply security patches and other upgrades to the child without overriding any custom code you’ve added. 

If you’re not already working with a child theme, it’s worth making one now. You’ll first want to create a complete backup of your WordPress site. 

Then, access your website via File Transfer Protocol (FTP) and head to the root directory (typically called public_html, public, or www). Open wp-content/themes and create a new folder for your child theme. Consider naming it after the parent theme, with “-child” at the end.

Inside the folder, create a new text file and name it “style.css”. Next, add the following code to it, updating the information where relevant:

/*

Theme Name: The name of your theme goes here

Theme URI: http://example.com/twenty-twenty-two-child/

Description: The description of the child theme goes here

Author: John Doe

Author URI: http://example.com

Template: twentytwentytwo

Version: 1.0.0

*/

When you’re ready, save and close the file. Then, create a new file and name it “functions.php”. Add this enqueuing script to it so that WordPress knows how to load the stylesheets in your child theme:

<?php

add_action( 'wp_enqueue_scripts', 'enqueue_parent_styles' );

function enqueue_parent_styles() {

wp_enqueue_style( 'parent-style', get_template_directory_uri() . '/style.css' );

}

?>

Finally, head to Appearance → Themes in your WordPress dashboard. Find your child theme and click on Activate. It’s now ready for you to use and customize. 

Consider testing theme changes on a staging site

A staging website is a copy of your site where you can safely test changes. Any edits you make to the staging environment won’t affect your live website. Then, once you’ve determined that it’s safe to proceed, you can ‘push’ any changes online, where they’ll be visible to anyone who visits your site. 

Using a staging site is a practical choice from a User Experience (UX) point of view. Playing around with your website while it’s online can cause inconvenience and confuse visitors who may not be able to access particular features. 

Additionally, utilizing a staging site can show you if a theme update will cause problems. Then, you can avoid pushing the changes live until you have a solution. 

When running your tests in a staging environment, it’s worth following these steps:

1. Check for theme compatibility. First, you’ll want to ensure that the theme update has been tested with the version of WordPress you’re running on your site. You may also need to update WordPress core first if you’re using an older version. 
2. Put Jetpack into “safe mode.” If you’re using the Jetpack plugin, this helps ensure that your connection isn’t broken when setting up a staging site.
3. Update the theme. You can check out the methods outlined later in this guide to see how to do this. 
4. Test the site’s functionality. This is the most important part of the process. Consider testing your site’s menus, other navigational elements, forms, and online store. You can also scan your website for visual problems by viewing your posts, pages, and custom post types. 
5. Verify issues in support forums. If you run into any problems, head to the official WordPress support forums for the theme. There might be known issues that developers are working to resolve. 
6. Report problems to the theme developer. If no one else has the same issue, it’s a good idea to contact the theme developer. This way, they can fix it for you and all other users. 
7. Push your changes live. Finally, if everything is looking good, it’s time to push the update live.

Don’t worry if you don’t already have a staging environment in place. Let’s look at a few easy ways to create one:

Create a staging site with your web host

Depending on which WordPress hosting provider you choose, you may have access to a free or paid staging environment. 

For instance, Bluehost offers staging functionality within your WordPress dashboard. If you have the host’s plugin enabled, head to Bluehost → Staging.

Now, select Create Staging Site.

Bluehost will take a few minutes to create a staging website. It will be a complete copy of your existing site, but any changes you make won’t affect your live page. 

You can access your staging site by clicking on the circle to the left of its name.

Then, you can apply any edits to your live site by hitting Deploy All Changes on the right-hand side. 

Make a staging site with a plugin

The Jetpack plugin also enables you to make a staging environment. You’ll simply need to clone your site, import it into a local environment or subdomain, and then work on the website there. This documentation can walk you through the entire process. 

Alternatively, you could opt for a staging plugin like WP Staging. This free plugin helps you clone your website and work on it safely.

Once you’ve installed and activated the plugin in your WordPress dashboard, head to WP Staging → Staging Sites → Create New Staging Site.

You can then select specific database tables and files or just click on Start Cloning to copy your entire site.

WP Staging will take a few minutes to clone your website and create a staging environment. Then, it’s ready to go!

How to update your theme in WordPress (3 methods)

Now let’s get into the main part of this tutorial. Before running any updates, you should consider the best time of day for this process. 

Although a theme update takes just a few moments, it could cause temporary glitches on your site that inconvenience visitors. Additionally, if a new software version causes major problems, you don’t want to be scrambling to fix them during an influx of traffic.

Your first instinct might be to run a theme update in the middle of the night. But, this may not be the best approach if most of your visitors come from a different time zone. 

You may want to consider using Google Analytics to see when most users come to your site. Then, simply run your theme updates during a quiet period. 

1. Update your theme using the admin dashboard

Updating a theme via the WordPress admin dashboard is a very straightforward process. Simply head to Dashboard → Updates and scroll down to the Themes section.

Here, tick the checkbox next to your theme and click on Update Themes. The process should complete in a couple of seconds.

Alternatively, you can find available theme updates under Appearance → Themes. Any outdated themes will have a banner message:

Simply click on Update now above the applicable theme, and wait a few moments for WordPress to run the update. 

If, for any reason, this method doesn’t work, there is another option you can take from within the WordPress dashboard:

1. Go to Appearance → Themes → Add New.
2. Upload the zip file of the latest version of your current theme. For example, you can update the Twenty Twenty-Two theme by uploading a new copy downloaded from WordPress.org.
3. Click Replace active with uploaded when prompted.

2. Update your theme manually via FTP

Sometimes, you may be unable to update your premium or custom theme from the WordPress dashboard. For instance, if you purchased a theme from outside the WordPress theme repository, it might not add its updates to your dashboard. Fortunately, you can use an FTP client to run the updates.

Firstly, you’ll need to download the latest version of the theme onto your computer. It should download as a .zip file, so you’ll also have to extract it.

Next, connect to your website using an FTP client. If you don’t have one installed, FileZilla is a free and user-friendly option. It will ask you for your FTP credentials, so make sure to have them handy, too. 

Then, head to wp-content → themes.

You may want to download a copy of the existing folder for your theme in case something goes wrong. Then, simply replace it with the unzipped folder you just downloaded. This will override the existing theme files, applying the updates to the theme. 

3. Update your theme using cPanel

If your hosting provider uses cPanel, you can also use this application to change your WordPress theme or update it. Again, you may need to use this method if you’ve purchased a premium theme that doesn’t add its updates to the WordPress dashboard.

Like the previous method, you’ll need to download the latest theme version and unzip the files. Then, log into your hosting dashboard and locate cPanel. You’ll then need to open File Manager.

Now, go to public_html → wp_content → themes. 

Inside, you should see a folder for the theme you want to update. Right-click on it and select Compress to download it as a .zip file to your computer. This way, you’ll have a functional version to restore if you make a mistake.

Delete the theme folder and upload the downloaded folder containing the updated theme. When you navigate back to your WordPress dashboard, your site should now be running the latest version of the theme. 

How to undo a WordPress theme update

Rolling back or undoing a theme update will revert it to the previous software version. You might need to do this if the updated theme causes problems on your website. 

If you have a working backup of your WordPress website, you can simply restore it to this version. With Jetpack VaultPress Backup, you’ll just have to open your site with WordPress.com and navigate to Jetpack → Backup. 

Then, find a copy of your site that has the older version of the theme, and click on Restore to this point.

If you don’t have a website backup, a plugin like WP Rollback can help you out. Install and activate the plugin, then head to Appearance → Themes. Click on the theme to see its details, and select Rollback in the bottom-right corner.

You can now choose which version of the theme you’d like to reinstate.

Click on the circle next to the software version, then select Rollback. The plugin will take care of the rest. 

Keep in mind that this plugin only works for themes downloaded from the WordPress.org theme Repository. If you have a premium theme and didn’t back up your site, your only option is to manually roll back the update.

In this scenario, you’ll need to download the previous version of your theme as a .zip folder and unzip the files. Then, connect to your site via FTP or File Manager to replace the current theme folder with the older one. We covered this method in the previous section of the article. 

Frequently asked questions about updating your WordPress theme

By now, you should have a good idea of how to update your WordPress theme. If you still have questions about the process, we’ll answer them in this section. 

Why should you update a WordPress theme?

Updating a WordPress theme can secure your site by patching over security vulnerabilities within the code. Additionally, theme updates may contain new features or settings that give you more control over your theme’s appearance. 

Finally, since WordPress core is also updated frequently, new theme versions ensure compatibility with the core software. 

What happens when you update a WordPress theme?

Updating a theme involves installing the latest software version. The old theme files will be replaced with new ones during this process.

Any minor adjustments you’ve made within the theme’s built-in settings should carry over with the update, but custom code will be deleted and lost. For this reason, it’s advisable to back up your theme and make custom edits within a child theme before running any updates. 

Can I set my WordPress theme to update automatically?

You can set up automatic updates for your WordPress theme. This setting will save you time since you won’t have to manually upgrade the software. Moreover, you’ll immediately have access to security patches and other benefits. 

As always, you’ll want to make sure that you’re also backing up your site if you enable automatic updates. Then, you’ll have a functional version of your website on hand if the new software causes problems. 

In your WordPress admin dashboard, navigate to Appearance → Themes and click on the theme you want to automatically update. Now, select Enable auto-updates from the side menu.

Depending on your host, you may also have theme updates enabled by default. Many hosting providers will automatically update software to save you time and energy. You can then manage these settings from your hosting dashboard.

In many cases, you’ll just need to toggle a setting to enable and disable automatic theme updates. 

What if a WordPress theme update gets stuck?

Occasionally, a WordPress theme update can get “stuck.” This means it will keep trying to update but times out before completing the process. It may even break your site during the process. 

The easiest solution here is to restore a backup of your WordPress site and then run the update again. If the update continues to get stuck, there are a few simple fixes.

For starters, consider clearing your browser and server-side caches. There might be files interfering with the update process. Then, reload the page and try running the update again to see if it works.

The update could also be timing out due to a lack of resources. This is common if you’re using a shared hosting plan. In this scenario, make sure you’re only running one update at a time (rather than multiple themes and plugins simultaneously). 

The update may also be stuck because it’s only partially complete. In this scenario, you can access your website via FTP, delete the theme folder, and replace it with a downloaded folder from WordPress or the marketplace where you bought the theme. We explained this process in-depth earlier in the post. 

Update your WordPress theme today

WordPress theme updates can introduce security fixes, new features, and advanced functionality to your website. Unfortunately, updates can also override custom edits you’ve made or cause problems on your site. 

Therefore, you’ll want to save a backup and create a child theme before upgrading a theme. It’s also worth testing any changes in a staging environment before pushing them live. Then, updating your theme is simply a matter of clicking a few buttons in your WordPress admin area, accessing your website via FTP, or using cPanel in your hosting dashboard.

Before updating your WordPress theme, you’ll need to make sure that you have a functional backup in place. With Jetpack VaultPress Backup, you can save copies of your entire website and restore them in seconds. Learn more about Jetpack VaultPress Backup today!