Linux 软件免费装

Turn Off REST API

开发者 ksym04
更新时间 2026年6月28日 03:25
PHP版本: 7.4 及以上
WordPress版本: 7.0
版权: GPLv3
版权网址: 版权信息

标签

security json rest api disable rest api wp-json

下载

1.0.0 1.0.1 1.0.3 1.0.4 1.0.2 1.0.5 1.1.0 1.1.1

详情介绍:

Turn Off REST API is a lightweight WordPress security plugin that disables the WordPress REST API for visitors who are not logged in. Anonymous requests to your /wp-json endpoints receive an authentication error instead of your site data, while logged in users, your theme, and your plugins keep working normally. By default WordPress exposes a large amount of information through the REST API, including your list of user accounts and usernames, published content, and details about your site. For most sites that open, unauthenticated access is unnecessary and only widens the attack surface for user enumeration and content scraping. Turn Off REST API closes the WordPress REST API to the public in one click, then gives you a clear settings screen to reopen only the specific REST API routes you actually need. Why turn off the WordPress REST API? What it does Built for control, not breakage Some security plugins disable the REST API completely and break the block editor or third party integrations in the process. Turn Off REST API only blocks unauthenticated access, and the per route allow list means you can whitelist exactly the endpoints a service needs without opening the whole API back up. Developer friendly The access decision runs through the tora_grant_rest_api filter, so developers can extend or override the logic for custom roles, application passwords, or trusted requests.

安装:

  1. In your WordPress admin, go to Plugins, then Add New.
  2. Search for "Turn Off REST API".
  3. Click Install Now, then Activate.
  4. Go to Settings, then Turn Off REST API to review the route allow list. Unauthenticated access is disabled by default, so there is nothing else you need to do.
Manual installation:
  1. Download the plugin zip from WordPress.org.
  2. Upload the turn-off-rest-api folder to /wp-content/plugins/.
  3. Activate the plugin through the Plugins menu in WordPress.

升级注意事项:

1.1.1 Adds a More on DopeThemes panel to the settings screen. No functional changes to the REST API protection. 1.1.0 Adds a Site Health check and an option to control the REST API discovery links and headers. A safe, additive update. 1.0.5 Compatibility and security update: PHP 8 fix, WordPress 7.0 support, and hardened admin escaping. Recommended for all users.

常见问题:

How do I confirm the REST API is blocked?

Log out of your site (or open a private browser window) and visit https://your-site.com/wp-json. You should see an authentication error instead of a list of routes and data. Logged in users will still see the normal response.

Will this break the block editor (Gutenberg)?

No. The block editor runs as a logged in user, so it keeps full REST API access. Only unauthenticated requests are blocked.

I need one endpoint to stay public. Can I allow just that route?

Yes. Open Settings, then Turn Off REST API, check the route or namespace you want to keep open, and save. Everything else stays blocked.

Does it work on nginx as well as Apache?

Yes. The plugin works at the WordPress request level and does not depend on any web server configuration files.

Can developers customize who is allowed?

Yes. Use the tora_grant_rest_api filter to return true or false based on your own logic. By default it returns whether the current user is logged in.

更新日志:

1.1.1 1.1.0 1.0.5 1.0.4 1.0.3 1.0.2 1.0.1 1.0.0