Disable REST API

説明

The most comprehensive plugin for controlling access to the WordPress REST API!

Works as a “set it and forget it” install. Just upload and activate, and the entire REST API will be inaccessible to your site visitors. Or if you have a plugin or theme installed which needs some of its endpoints to be accessible to site visitors, you can do that too. Go to the Settings page and you can quickly whitelist individual endpoints – or entire branches of endpoints – registered with the REST API.

The engine for the API has existed in WordPress since v4.4 and additional functionality and endpoints are a continual project. While this is very exciting news for many reasons, it is also not functionality that every site admin wants enabled on their website if not necessary.

As of WordPress 4.7, the filters provided for disabling the REST API were removed. To compensate, this plugin will forcibly return an authentication error to any API requests from sources who are not logged into your website, which will effectively still prevent unauthorized requests from using the REST API to get information from your website.

For WordPress versions 4.4, 4.5 and 4.6, this plugin makes use of the rest_enabled filter provided by the API to disable the API functionality. However, it is strongly recommended that all site owners run the most recent version of WordPress except where absolutely necessary.

スクリーンショット

  • The JSON returned by a website with the API disabled via filters (WP versions 4.4, 4.5, 4.6)
  • The JSON returned by a website with the API disabled via authentication methods (WP versions 4.7+)
  • The Settings page lets you selectively whitelist endpoints registered with the REST API.

インストール

  1. disable-json-api ディレクトリーを /wp-content/plugins/ へ FTP でアップロードします。
  2. Alternatively, upload the disable-json-api_v#.#.zip file to the ‘Plugins->Add New’ page in your WordPress admin area
  3. WordPress の「プラグイン」メニューからプラグインを有効化

FAQ

How do I know if this plugin is working?

While logged into WordPress as any user, the REST API will function as intended. Because of this, you must use a new browser – or Chrome’s incognito mode – to test your website with a clean session. Go to yourdomain.com/wp-json/ (or yourdomain.com/?rest_route=/ if you have pretty permalinks disabled) while NOT LOGGED IN to test the results. You will see an authentication error returned if the plugin is active. “DRA: Only authenticated users can access the REST API.”

Does this plugin disable all REST API’s installed?

This plugin is ONLY meant to disable endpoints accessible via the default REST API that is part of WordPress itself. If a plugin or theme chooses to register its namespace with the core REST API, its endpoints will – by default – by disabled so long as this plugin is active. Namespaces and routes may be whitelisted via this plugin’s Settings page.

評価

2020年4月20日
The plugin uses a is_user_logged_in() check to grant access to disabled REST API endpoints. I run a membership site for one year and just realized it now, that any logged in visitor STILL HAVE ACCESS to any disabled REST API endpoints. This should be very explicit, and there should be a setting in the plugin settings page to set the minimum role for the user to have access to the disabled endpoints.
2019年12月14日
A necessary plugin if you have a site for logged-in users. Thanks for this plug-in!
22件のレビューをすべて表示

貢献者と開発者

Disable REST API はオープンソースソフトウェアです。以下の人々がこのプラグインに貢献しています。

貢献者

“Disable REST API” は6ロケールに翻訳されています。 翻訳者のみなさん、翻訳へのご協力ありがとうございます。

“Disable REST API” をあなたの言語に翻訳しましょう。

開発に興味がありますか ?

コードを閲覧するか、SVN リポジトリをチェックするか、開発ログRSS で購読してみてください。

変更履歴

1.5.1

  • Tested up to WP v5.5

1.5

  • Tested up to WP v5.3
  • Added enforcement for WordPress and PHP minimum version requirements
  • Fixed minor bug to prevent unintended empty routes
  • Minor text updates and adding textdomain to translation functions that didn’t have them

1.4.3

  • Added load_plugin_textdomain() for i18n

1.4.2

  • Fixed issue causing unintentional unlocking of endpoints when another WP_Error existed before this plugin did its job

1.4.1

  • Fixed echo of text URL to primary Plugins page in WP Dashboard

1.4

  • Tested for WP v4.8
  • Tested for PHP 5.3+
  • Added settings screen
  • Site Admins may now whitelist routes that they wish to allow unauthenticated access to
  • Added dra_allow_rest_api filter to the is_logged_in() check, so developers can get more granular with permissions
  • Props to @tangrufus for all of the help that went into this release

1.3

  • WP 4.7でテスト済み
  • ログインしていないユーザーについて WordPress 4.7以上なら認証エラーを返す新機能を追加

1.2

  • WP 4.5でテスト済み
  • head とヘッダーに REST 情報を公開するアクションを削除

1.1

  • 2.0ベータ APIで導入された新しいフィルターをサポートするように更新

1.0

  • 最初のリリース