RT Crenville Writings

Solution to Updating Failed … not a valid JSON response

👉 Nostr

What a pollaver getting WordPress working. Updating Failed … not a valid JSON response errors crippled Gutenberg. Standard fixes failed. Here’s how it was easily solved – once the problem was nailed down – Server-side WAF blocking.


Short story

  1. Problem: Gutenberg block editor won’t save, JSON errors and red banners everywhere
  2. Browser hell: Firefox iPhone/Mac, incognito, cache clears – all fails following this WPBeginner common json error troubleshoots.
  3. Temporary workaround found: Quick Draft/Edit partially works (but why?)
  4. Server smoking gun: 403 errors and Web Application Firewall logs
  5. Victory: Whitelist 3 rules in the Web Application Firewall option on DirectAdmin panel, Gutenberg back on track and running smoothly.


Gutenberg editor was mis-firing

Firefox on Mac desktop, I investigated every avenue for why saving posts and pages was failing, throwing up a red banner with the error message in the title.

Strangely, edits stuck when the auto-save was updated.

The only viable option, before finding a proper solution, was to write posts in the quick draft box on the dashboard ie circumvent the snazzy Gutenberg editor.

No joy ever, updating themes. In other words, the site was not editable.

Firefox iphone app, more up-to-date than my desktop browser – updating drafts was working as expected. But to publish them, another matter.

Posts would not publish from the editor. I could publish from Quick Draft on the dashboard. No better than my old desktop browser. Perplexing.

The auto-save bug was still active when updating published articles. But the json response warning was coming up, regardless of device.

Conclusion It wasn’t a browser issue. And no conventional troubleshooting tricks worked – reset permalinks, redo htaccess file etc.

It had to be a server-side issue.

Web Application Firewalls or for short, wtf?

I have used WordPress and had hosting packages for about 20 years, but I never heard of WAF’s. Here’s why – and thanks to the MynymBox team hosting this website.

…most hosting companies don’t run Web Application Firewalls which opens many many security issues. We offer all our Shared Hosting customers a Web Application Firewall which has to be configured by the customer. This can be done in DirectAdmin -> Web Application Firewall. Under Audit.log you see all blocks and the ruleID. For each you can do an exception.

The blocks are a totally normal behavior especially for your header blocks as this can be heavily abused

To the uninitiated it was gobbledeygook. For the Mynymbox admins it was simple. This is my set of blocks, .

Excluded rule
920450HTTP header is restricted by policy (/x-http-method-override/)
920210Multiple/Conflicting Connection Header Data Found
930130Restricted File Access Attempt

It’s all working at the moment. And unlike this poor client of GoDaddy, it didn’t cost me $50 to select the blocks to whitelist.

Hat tip to Mynymbox for taking privacy and security so seriously.

Privacy stack

The basic premise is that privacy is a fundamental building block of civilisation. It does not equate to criminality. Companies don’t need to know everything about us to provide a service. If I were to commit a crime using a paying service, I would expect the relevant authorities to request details from the company, under sub-poena, to find me and deal with me.

Contrast that need-to-know dynamic with the current paradigm for companies to demand overreaching amounts of PID. It serves two purposes, neither are for the benefit of their clients.

  • Selling personal info is a lucrative business model, so many make up any BS reason to demand personal info – for your safety, for the sake of the children
  • Law enforcement likes this paradigm too. Instead of doing real police work, innocent ’til proven guilty, they have adopted a Minority Report mindset, accessing private company databases to see what’s going on. Were the government or police to pursue the level of data collection permitted in the private sector, they would all go to jail.

Good guys in the online privacy world

Mynymbox is part of a cool, non-KYC group of tech companies. They host websites for bitcoin and have no interest in personal details. Their main clients are journalists and free speech advocates in adversarial states. Starting prices for shared hosting are very low. Their tech support is very patient.

Proton offer a free, encrypted email address with no KYC. Ideal for providing an email to a web host dedicated to privacy. The account also comes with a “Google” style drive, a “Google” calendar, a free VPN and much more joined-up thinking apps. Unlike Google though, anything set up by Proton is all encrypted and ethical. Their business model is based on users paying, so you are never the product.

The rtcrenville.com domain is held by a non-KYC registrar. Privacy assured from casual internet trawlers.

Nostr is a social media and general internet built on privacy and censorship resistance. No names or emails required. No central owner, moderator or censor. One password and username to move between all apps; take your followers and content wherever you want on the Nostr network of apps.

Bitcoin Lightning, the private money of Nostr and its Value-4-Value circular economy.

Step outside the box, it’s very liberating.

Leave a Reply

Your email address will not be published. Required fields are marked *