WordPress Security How To
WordPress Security How To
Posted By Gregory

Restrict access to WordPress REST API

It's time to take control of WordPress REST API


The Cerber Security plugin allows you to restrict or completely block access to the WordPress REST API. To enable protection go to the Hardening tab on the plugin admin page and enable Block access to the WordPress REST API.

If you use Contact Form 7, Jetpack or any other plugin that make use of REST API and force you to use it, you need to whitelist its REST API namespace as described below.

Permit access to a particular REST API namespace

What’s namespace? Namespace is a part of a REST URL that allows WordPress to recognize what plugin or a part of code must serve a certain REST API request. To get the namespace take a string between /wp-json/ and the next slash in the REST URL. Every plugin that utilize REST API uses its own unique namespace. The table below shows namespaces for some plugins.

Plugin Namespace
Contact Form 7 contact-form-7
Caldera Forms cf-api
Yoast SEO yoast
Jetpack jetpack

Specify namespace exceptions for REST API if it’s needed as shown on the screenshot

Enable access to Contact Form 7 if WordPress REST API disabled

Enable access to Contact Form 7 if WordPress REST API disabled

Permit your users to use REST API

Check Allow REST API for logged in users if you want to allow using REST API for any authorized (logged in) WordPress user without limitation.

Restrict access to WordPress REST API by IP address or IP network

To permit access to REST API for a specific IP address or an IP network add them to the White IP Access List.

To block access to REST API for a specific IP address or an IP network add them to the Black IP Access List.

Read more: Using IP Access Lists to protect WordPress

Protection against REST API user enumeration

To stop user enumeration and block access to users details via REST API you just need to enable Stop user enumeration setting on the Hardening WordPress tab. This security feature is designed to detect and prevent hackers from scanning your site for user names and user details. When it’s enabled Cerber Security blocks both, the REST API user enumeration and traditional user enumeration requests for author archive pages with URL like /?author=n. So nobody will have access to the user details via REST API unless you permit access to them as described above.

What is REST API, anyway?

In a nutshell it’s a technology that allows two different piece of code (applications) to talk to each other and exchange data in a standardized way. Using REST API enables developers to create, read and update WordPress content from external applications running on a different computer or a website. The WP REST API is enabled by default starting WordPress version 4.7.0.

Read more: Why it’s important to restrict access to the WP REST API

Developers documentation: https://developer.wordpress.org/rest-api/

What’s the Cerber Security, anyway? It’s a complete security solution for WordPress which is evolved from a simple yet effective limit login attempts plugin.


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments