WordPress for Cowork talks to your site through the WordPress REST API (the routes under /wp-json/). If that path returns 404, the plugin can’t reach your site at all.
Quick test from your browser
Open https://yourdomain.com/wp-json/ in a private/incognito window. You should see a JSON response listing namespaces (look for wp/v2, and after Cowork Bridge is installed, coworkmcp/v1). If you get a 404 HTML page instead, the REST API is unavailable.
The 5 common causes
1. Permalinks not set
Plain permalinks disable the REST API rewrite rules. Go to wp-admin → Settings → Permalinks and choose anything other than “Plain” (Post name is the standard). Just visiting the Permalinks page and clicking Save flushes the rewrite rules and usually fixes it.
2. A security plugin disabled the REST API
iThemes/Solid Security, AIOWPS, WP Cerber, and a few others can disable REST API access globally. See the per-plugin articles in the Troubleshooting category. Quickest test: temporarily deactivate every security plugin, re-check /wp-json/, then reactivate one at a time to find the culprit.
3. .htaccess rule blocking /wp-json
If .htaccess in your site root contains a rule blocking /wp-json (sometimes added by older security guides), remove it. Look for lines containing wp-json or RewriteRule.*404.
4. Hardcoded WordPress address mismatch
If your Settings → General → WordPress Address (URL) doesn’t exactly match the URL you’re visiting (HTTP vs HTTPS, www vs non-www), some hosts return 404 on REST routes. Both URLs should be identical.
5. Server-level firewall (ModSecurity)
On some managed hosts (GoDaddy, certain shared-hosting plans), the host’s ModSecurity rules block REST API traffic. Contact the host’s support and ask: “Please allowlist /wp-json/coworkmcp/* for my site — it’s a legitimate REST API route.”
After fixing
Run /wp-setup again in Cowork. The plugin re-tests the REST API on each setup attempt.