WordPress Security How To
WordPress Security How To

Restrict access to the WordPress REST API

It's time to take control of WordPress REST API


WP Cerber Security allows you to restrict or completely block access to WordPress REST API which is enabled by default. To enable protection go to the Hardening tab and enable Block access to WordPress REST API except any of the following. This blocks access to the REST API unless you grant access to it in the settings fields below or add an IP to the White IP Access List.

Restrict access to WordPress REST API

Restrict access to WordPress REST API

If you use Contact Form 7, Jetpack or another plugin that makes use of REST API, you need to whitelist its REST API namespaces as described below.

Permit access to a specific REST API namespace

A REST API namespace is a part of a request URL that allows WordPress to recognize what program code processes a certain REST API request. To get the namespace, take a string between /wp-json/ and the next slash in the REST URL. Every plugin that utilizes REST API uses its own unique namespace. The table below shows namespaces for some plugins.

Plugin Namespace
Contact Form 7 contact-form-7
Caldera Forms cf-api
Yoast SEO yoast
Jetpack jetpack

Specify namespace exceptions for REST API if it’s needed as shown on the screenshot

Permit your users to use REST API

Enable Allow REST API for logged in users if you want to allow using REST API for any authorized (logged in) WordPress user without limitation.

Restrict access to WordPress REST API by IP addresses

To permit access to REST API from a specific IP address or an IP network add them to the White IP Access List.

To completely block access to REST API from a specific IP address or an IP network add them to the Black IP Access List.

Read more: Using IP Access Lists to protect WordPress

How to stop REST API user enumeration

To block access to users’ data and to stop user enumeration via REST API you need to enable the Block access to users’ data via REST API setting on the Hardening tab. This security feature is designed to detect and prevent hackers from scanning your site for user logins and sensitive users’ data.

When it’s enabled Cerber blocks all request to REST API and return HTTP 403 Error. You can monitor such events on the Activity tab. They are logged as “Request to REST API denied”.

Access to users’ data via WordPress REST API is always granted in two cases:

  1. For administrator accounts, meaning if “Stop user enumeration” via REST API is enabled, all users with the administrator role always have access to users’ data
  2. For all IP addresses in the White IP Access List

What is REST API?

In a nutshell, it’s a technology that allows two different pieces of code (applications) to talk to each other and exchange data in a standardized way. Using REST API enables developers to create, read and update WordPress content from external applications running on a remote computer or a website. The WP REST API is enabled by default starting the WordPress version 4.7.0.

Read more: Why it’s important to restrict access to the WP REST API

Developers documentation: https://developer.wordpress.org/rest-api/

Do you know that you can manage REST API settings on any number of websites remotely? Enable a main website mode on the main Cerber.Hub website and a managed website mode on your other websites to manage all WP Cerber instances from one dashboard.

Next steps that’ll strengthen your WordPress security

What’s the Cerber Security, anyway? It’s a complete security solution for WordPress which is evolved from a simple yet effective limit login attempts plugin.

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered here: G2.COM/WPCerber.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments