WordPress POST data and the 404 errors: The mystery of the restricted query variables

I recently had a problem with a form submitted in WordPress returning a 404 error everytime even though it was submitting to an entirely valid URL. The form submission was managed via AJAX using jQuery.post(), so at first I assumed it was a Javascript problem – after a bit of testing, however, I discovered it was happening even if I submitted the form via PHP. I was entirely baffled by the issue (particularly because I had another form on the same site that submitted with no issues whatsoever) and spent a number of days trying to work it out – eventually I discovered the problem had nothing to do with Javascript, PHP or the server configuration, but was actually due to a restriction built into WordPress that isn’t immediately apparent.

It turns out that WordPress has a number of query variable names that are reserved for specific functions and cannot be used by any custom form on the site. In my case, I had a field called ‘name’ that was the culprit and simply changing it to ‘clientname’ fixed my problem entirely. The problem is that instead of giving a helpful error, WordPress just returns a 404 with no explanation about what went wrong or why it happened – even with debug mode on there is nothing helpful. This, as you can imagine, is particularly frustrating.

I haven’t found any official documentation listing the reserved variables, but there is this user-created page in the WordPress Codex that has a list of them (based on the variables used by WP_Query). I’m not sure how complete it is, but it seems fairly comprehensive.

Seeing as though I struggled with this for a few days, I thought I would share the solution here to help anyone else who might be having a similar issue.

8 Thoughts

  1. Awesome! I was just having this exact same problem. Although the ajax request had been working fine for the past year, it just stopped working all of a sudden today. Turns out this was the issue. Thanks a lot!

  2. Thanks 🙂

    I was thinking issue is related to mod_security but changing fields name solved my problem.

  3. Cool.
    Probably, wp-includes/class-wp.php file for the arrays $public_query_vars and $private_query_vars are the noums that are forbiden:
    $public_query_vars = array(‘m’, ‘p’, ‘posts’, ‘w’, ‘cat’, ‘withcomments’, ‘withoutcomments’, ‘s’, ‘search’, ‘exact’, ‘sentence’, ‘calendar’, ‘page’, ‘paged’, ‘more’, ‘tb’, ‘pb’, ‘author’, ‘order’, ‘orderby’, ‘year’, ‘monthnum’, ‘day’, ‘hour’, ‘minute’, ‘second’, ‘name’, ‘category_name’, ‘tag’, ‘feed’, ‘author_name’, ‘static’, ‘pagename’, ‘page_id’, ‘error’, ‘comments_popup’, ‘attachment’, ‘attachment_id’, ‘subpost’, ‘subpost_id’, ‘preview’, ‘robots’, ‘taxonomy’, ‘term’, ‘cpage’, ‘post_type’);
    $private_query_vars = array(‘offset’, ‘posts_per_page’, ‘posts_per_archive_page’, ‘showposts’, ‘nopaging’, ‘post_type’, ‘post_status’, ‘category__in’, ‘category__not_in’, ‘category__and’, ‘tag__in’, ‘tag__not_in’, ‘tag__and’, ‘tag_slug__in’, ‘tag_slug__and’, ‘tag_id’, ‘post_mime_type’, ‘perm’, ‘comments_per_page’, ‘post__in’, ‘post__not_in’);

  4. I spent way too much time trying to fix this issue and it turns out it was a simple data name!! This post just saved me. Thanks!

  5. Thank you so much for this! If only I found this post earlier, it would’ve saved me a lot of time and frustration. Indeed, the variable “name” was the culprit. I hope this post helps a lot more people!

Leave a Reply