Stable tag: 1.3.2
Requires at least: 6.0
Tested up to: 6.0
Requires PHP: 8.0
License: GPL v2 or later
Tags: alleyinteractive, rest-api-guard
Contributors: sean212
Restrict and control access to the REST API.
You can install the package via composer:
composer require alleyinteractive/wp-rest-api-guard
The WordPress REST API is generally very public and can share a good deal of information with the internet anonymously. This plugin aims to make it easier to restrict access to the REST API for your WordPress site.
Out of the box the plugin can:
The plugin can be configured via the Settings page (Settings -> REST API Guard
) or via the relevant filter.
wp/v2/users
)By default, the plugin will restrict anonymous access to the users endpoint. This can be prevented in the plugin's settings or via code:
add_filter( 'rest_api_guard_allow_user_access', fn () => true );
/
) or Namespace Endpoints (wp/v2
)To prevent anonymous users from browsing your site and discovering what plugins/post types are set up, the plugin restricts access to the index (/
) and namespace (wp/v2
) endpoints. This can be prevented in the plugin's settings or via code:
// Allow index access.
add_filter( 'rest_api_guard_allow_index_access', fn () => true );
// Allow namespace access.
add_filter( 'rest_api_guard_allow_namespace_access', fn ( string $namespace ) => true );
The plugin can restrict anonymous access for any request to the REST API in the plugin's settings or via code:
add_filter( 'rest_api_guard_prevent_anonymous_access', fn () => true );
Anonymous users can be granted access only to specific namespaces/routes. Requests outside of these paths will be denied. This can be configured in the plugin's settings or via code:
add_filter(
'rest_api_guard_anonymous_requests_allowlist',
function ( array $paths, WP_REST_Request $request ): array {
// Allow other paths not included here will be denied.
$paths[] = 'wp/v2/post';
$paths[] = 'custom-namespace/v1/public/*';
return $paths;
},
10,
2
);
Anonymous users can be restricted from specific namespaces/routes. This acts as a denylist for specific paths that an anonymous user cannot access. The paths support regular expressions for matching. The use of the Allowlist takes priority over this denylist. This can be configured in the plugin's settings or via code:
add_filter(
'rest_api_guard_anonymous_requests_denylist',
function ( array $paths, WP_REST_Request $request ): array {
$paths[] = 'wp/v2/user';
$paths[] = 'custom-namespace/v1/private/*';
return $paths;
},
10,
2
);
Anonymous users can be required to authenticate via a JSON Web Token (JWT) to
access the REST API. Users should pass an Authorization: Bearer <token>
header
with their request. This can be configured in the plugin's settings or via code:
add_filter( 'rest_api_guard_authentication_jwt', fn () => true );
Out of the box, the plugin will look for a JWT in the `Authorization: Bearer