I've become aware recently that one or some of the security measures which can be run through WordPress Toolkit may potentially interfere with the REST API. Here are the steps to reproduce it - we've now seen 3 new customers recently with random REST API errors, like posts not saving, certain plugins not working etc (which can be a real pain in the ass to diagnose):
Pre-requisite: Either WordPress must be installed with a plugin/theme set which includes a plugin or theme which creates a .htaccess file, or a plugin or theme which creates a .htaccess file in the WordPress root must be installed before proceeding to step 2 below.
A prime example of such a plugin is a caching plugin like LiteSpeed Cache which will create, and add directives to, a .htaccess file
1) Install WordPress via WordPress Toolkit.
2) Apply all available security measures
3) One of these (possibly "Block access to .htaccess and .htpasswd") will change the permissions of .htaccess to 0600
4) WordPress will show REST API error under Tools > Site Health.
5) Attempting to change or set permalinks will fail (Settings > Permalinks) - any post created or accessed will 404 if you're using pretty permalinks
While not directly a bug, it seems a bit bad to effectively be able to break a WordPress install before the user has even logged in - the average user would not have the skills necessary to diagnose such an error.
Pre-requisite: Either WordPress must be installed with a plugin/theme set which includes a plugin or theme which creates a .htaccess file, or a plugin or theme which creates a .htaccess file in the WordPress root must be installed before proceeding to step 2 below.
A prime example of such a plugin is a caching plugin like LiteSpeed Cache which will create, and add directives to, a .htaccess file
1) Install WordPress via WordPress Toolkit.
2) Apply all available security measures
3) One of these (possibly "Block access to .htaccess and .htpasswd") will change the permissions of .htaccess to 0600
4) WordPress will show REST API error under Tools > Site Health.
5) Attempting to change or set permalinks will fail (Settings > Permalinks) - any post created or accessed will 404 if you're using pretty permalinks
While not directly a bug, it seems a bit bad to effectively be able to break a WordPress install before the user has even logged in - the average user would not have the skills necessary to diagnose such an error.