Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In

Restrict WordPress REST API Access

Pro Features Weekly WP Vulnerability Report Buy Pro Now

The WordPress REST API is a feature rolled out in WordPress 4.4 and greatly expanded in WordPress 4.7. The REST API provides developers with new ways to manage WordPress.

By default, the REST API can be used to access information that you might believe is private on your site, including:

  • Published posts of all post types, including those that don’t seem like posts, such as products or member programs.
  • User details that may include users that do not have any published posts or pages.
  • Media library entries which may expose links to download media that is not publicly linked anywhere. This could include links to download member-only content, backups created by some plugins, or any other kind of file added to the media library. (Note that BackupBuddy backups are not stored in the media library and are not accessible via the REST API.)

Restrict WordPress REST API Access

The iThemes Security plugin offers a setting to Restrict Access to most REST API data.

To take advantage of the Restrict WordPress REST API Access feature, you’ll need to update to iThemes Security Pro 3.4.0 and Themes Security 6.0.0 (free version).

With this setting, most requests will require a logged in user or a user with specific privileges, blocking public requests to potentially-private data. We recommend enabling the Restricted Access setting.

  1. To activate the setting, navigate to the WordPress Tweaks section on the Security > Settings page of your WordPress dashboard. Click the “Configure Settings” button.

wordpress-tweaks

2. Scroll to the REST API section. Select the “Restricted Access” setting.

wordpress rest api

3. Click “Save Settings” to save your new settings.

Default WordPress REST API Access

iThemes Security also includes a Default Access setting to leave REST API data as default. By enabling this setting, information from your site including published posts, user details, and media library entries is available for public access.

For more information on the WordPress REST API, check out the WordPress REST API docs.

ithemes-security-logos

Secure and protect your WordPress with iThemes Security Pro. Get WordPress two-factor authentication, WordPress user security check, WordPress malware scan and private, ticketed support.

Learn more about iThemes Security Pro

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Copy link
CopyCopied
Powered by Social Snap