REST API - Head Tags Plugin Breaking with Password Protected


I installed the new REST API - Head Tags plugin and I want to start off by saying kudos to the team!

The plugin works great and I am running it now at: (my personal Frontity built blog). I ran into a problem though with another plugin I use named Password Protected. I use Password Protected for SEO reasons. I have found that they do not work together, and to get them to work, I had to disable caching in the REST API - Head Tags plugin.

I also found this error in my terminal when running npx frontity dev

{ FetchError: invalid json response body at reason: Unexpected token < in JSON at position 0
at eval (webpack-internal:///./node_modules/node-fetch/lib/index.mjs:276:32)
at processTicksAndRejections (internal/process/next_tick.js:81:5)
   'invalid json response body at reason: Unexpected token < in JSON at position 0',
  type: 'invalid-json' }

Just wanted to let the team know and perhaps there might be a fix.

I’ll be looking into the issue further myself if/when I get the chance.


Hi @ShaGui and thank you for your positive feedback :raised_hands:

I don’t know that plugin, but a first sight it looks like it’s redirecting the REST API calls to a HTML form and asking for a password. As the fetch function is expecting to receive JSON code, it fails and Frontity returns that error.

Maybe there is an option in that plugin to ignore the REST API urls, I guess?

I’ve been taking a quick look and it doesn’t look like the plugin has native support to ignore certain URLs. There’s someone who has hacked it to add this support:

The plugin has the option to Allow REST API Access as can be seen in the image below:

I have the plugin enable as of right now, and it is working with this setting off:

With Password Protected enabled, I do have access to the REST API, and as soon as I enable the Heads Tags plugin, the calls to the REST API break. It seems like there is some minor change made to the REST API JSON file by both plugins which leads to it breaking the calls. I’ll try and see what they change is.

Further details.

I have found that when I enable the REST API - HEAD Tags plugin in the settings, it is redirecting me to Password Protected’s request for a password. This does not occur when I disable the REST API - Head Tags plugin in the settings. I believe this is what @David and @Pablo was talking about. That being said, it should not be an issue, as Password Protected is supposed to access to the REST API and works with no issues until REST API - HEAD Tags is turned on in the settings.

I am beginning to think that when I enable the REST API - HEAD Tags plugin, it is perhaps changing the original REST API JSON file URL.

I’ll explore further.

Oh, I think I know what happens.

In order to get the tags inside the head element for a particular post /page / etc. , the plugin is changing the WordPress main query and “rendering” the HTML content of the head. After that, the HTML is converted to a JSON and the WordPress main query is restored.

I am almost sure that Password Protected is blocking the REST API just when the main query is changed.

We’ll investigate to see how we can solve it. Thanks for reporting, @ShaGui!

1 Like

Password protected has a hook to overwrite its behavior. Maybe we can use it deactivate it if it’s a REST API request. Could you please try this?

apply_filters( 'password_protected_show_login', function() {
  return !defined('REST_REQUEST');
}, 10);

I haven’t tested the code so please run it first in your development environment!

@luisherranz I tried the code and it made no difference unfortunately. I believe that @David may have the solution, but I can’t be sure as I’ve tried going over the code in Password Protected and the REST API plugins and it is a little over my head at this moment :sweat_smile: Hopefully there is a solution though :grin:

What about this:

add_action( 'rest_api_init', function () {
  apply_filters( 'password_protected_show_login', function() {
    return false;

By the way, where did you added the previous code? Because I don’t think functions.php is run when there’s a REST API request so this code needs to be added either in a plugin or with something like

I added the code in the plugin itself. Probably not the best place or the correct place… :sweat_smile: I’ll go ahead and try both with the code snippet and see if that works. I’ll confirm tomorrow.

Just here to say that functions.php does run on REST API requests. Tested it a few days ago because I also suspected this but I was wrong.

1 Like

I went ahead and tried this line of code along with the other one @luisherranz suggested using Code Snippet. Neither one of them worked unfortunately. The same issue occurs whenever I enable the REST API Plugin… Any other suggestions? I’m at a lost myself.

I don’t understand. This should deactivate the password plugin:

apply_filters( 'password_protected_show_login', function() {
  return false;

What happens if you add that to your functions.php file. Do you still see the login? Maybe the filter is broken…


Any progress with this issue?

I tried every method from this post but the REST API - HEAD Tags plugin still doesn’t work with password plugin.

I wasn’t able to get it to work, but I am unsure which plugin is the issue…

Hey guys, maybe you should contact Ben Huson for assistance on how to disable his plugin in the REST API?

Yes, that’s good idea.

I already find workaround to this issue. I switched “Password Protected plugin” on something similar - Haadless Mode plugin. (

It comply with my requirements and redirects from wordpress front page to my blog, maintaining good SEO practices.

It also has no problems with REST API HEAD TAGS plugin.


Nice plugin @trzcinskid0. Thanks for sharing :slight_smile:

I use this too! Great lightweight plugin. No settings or anything. Just activate. I’ve bundled it as an mu-plugin in my boilerplate code for any new builds so it doesn’t clutter up my plugin page (not that I use that many anyway, it just doesnt need to appear in wp-admin at all so…)

1 Like