Allow REST API discovery calls (don't restricting access)

authorizer.php

@@ -1358,7 +1358,9 @@ public function restrict_access( $wp ) {
 				// Allow access for requests to /wp-json/oauth1 so oauth clients can authenticate to use the REST API
 				( property_exists( $wp, 'matched_query' ) && stripos( $wp->matched_query, "rest_oauth1=" ) === 0 ) ||
 				// Allow access for non-GET requests to /wp-json/*, since REST API authentication already covers them
-				( property_exists( $wp, 'matched_query' ) && stripos( $wp->matched_query, "rest_route=" ) === 0 && $_SERVER['REQUEST_METHOD'] !== 'GET' )
+				( property_exists( $wp, 'matched_query' ) && stripos( $wp->matched_query, "rest_route=" ) === 0 && $_SERVER['REQUEST_METHOD'] !== 'GET' ) ||
+				// Allow access for GET requests to /wp-json/ (root), since REST API discovery calls rely on this
+				( property_exists( $wp, 'matched_query' ) && $wp->matched_query === 'rest_route=/' )
 				// Note that GET requests to a rest endpoint will be restricted by authorizer. In that case, error messages will be returned as JSON.
 			);
 
@@ -1389,6 +1391,11 @@ public function restrict_access( $wp ) {
 				return $wp;
 			}
 
+			// Allow HEAD requests to the root (usually discovery from a REST client).
+			if ( $_SERVER['REQUEST_METHOD'] === 'HEAD' && empty( $wp->request ) && empty( $wp->matched_query ) ) {
+				return $wp;
+			}
+
 			// We've determined that the current user doesn't have access, so we deal with them now.
 
 			// Fringe case: In a multisite, a user of a different blog can