WordPress.org

한국어

워드프레스 받기
WordPress.org

Plugin Directory

Headless REST API Security

Headless REST API Security

작성자: Md. Rakib Ullah
다운로드

설명

Running a Headless WordPress site often involves exposing the REST API. Headless REST API Security provides tools for administrators to control which endpoints are accessible to the public or external applications.

This plugin restricts public access to REST API endpoints by default and offers a settings interface to allow-list only the specific routes required by a frontend application (such as Next.js, Gatsby, or mobile apps).

Features

  • Access Control: Restrict default public access to REST API endpoints.
  • Route Allow-Listing: Specific API routes (e.g., /wp/v2/posts) can be enabled while others remain restricted.
  • API Key Authentication: Supports an X-API-KEY header for server-to-server or frontend requests.
  • Headless Redirect: Option to redirect users accessing the backend API URL to a specified frontend domain.
  • Admin Access: Logged-in Administrators and Editors retain access to the API to support the Block Editor (Gutenberg) functionality.
  • Plugin Support: Detects routes registered by third-party plugins for configuration.

Usage

  1. Navigate to Settings > Headless Security in the WordPress dashboard.
  2. Enable the Master Switch to activate the access restrictions.
  3. Review the list of REST API routes and check the Allow box for endpoints the application requires.
  4. Copy the generated API Key for use in application headers.
  5. (Optional) Enter a Headless Frontend URL to configure redirects for visitors.

스크린샷

  • General Settings: The main configuration screen with the Master Switch and Redirect URL options.
  • Route Manager: The grid view for allowing or restricting specific API namespaces and endpoints.

설치

  1. Upload the plugin files to the /wp-content/plugins/headless-rest-api-security directory, or install the plugin through the WordPress plugins screen.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress.
  3. Go to the Headless Security menu to configure allowed routes.

FAQ

Does this modify WordPress Core files?

No. The plugin uses standard WordPress hooks (rest_authentication_errors and template_redirect) to manage access.

Will this affect the Block Editor (Gutenberg)?

The plugin checks for logged-in users with the edit_posts capability, allowing the backend editor to function normally while restrictions are active.

Can I use this with custom endpoints?

Yes. Registered REST API routes appear in the settings list and can be allow-listed.

Where is the API Key placed?

The key is sent in the request header. Example:
X-API-KEY: your_generated_key_here

후기

Easy to use and secure

2026년 2월 4일 답글 1개
Great plugin. Simple setup, easy to use, and it effectively secures my site’s REST API. Highly recommend.
모든 1 평가 읽기

기여자 & 개발자

“Headless REST API Security”(은)는 오픈 소스 소프트웨어입니다. 다음의 사람들이 이 플러그인에 기여하였습니다.

기여자

자국어로 “Headless REST API Security”(을)를 번역하세요.

개발에 관심이 있으십니까?

코드 탐색하기는, SVN 저장소를 확인하시거나, 개발 기록RSS로 구독하세요.

변경이력

2.3

  • Fix: Resolved a critical error on the settings page caused by third-party plugin conflicts with REST API initialization.
  • Fix: Resolved stable tag and version mismatch issues for WordPress.org compliance.

2.2

  • Updated UI styles for better accessibility.
  • Improved checkbox contrast.

2.1

  • Minor code improvements.

2.0

  • Added route allow-listing functionality.
  • Added headless frontend redirect feature.
  • Added admin bypass for authenticated users.

1.0

  • Initial release.

기초

평점

별 5점 만점에 5점.

리뷰 추가하기

모든 리뷰 보기

지원

할 말 있으신가요? 도움이 필요하신가요?

지원 포럼 보기