{"id":19107777,"url":"https://github.com/alleyinteractive/wp-rest-api-guard","last_synced_at":"2025-04-30T18:50:04.975Z","repository":{"id":60860730,"uuid":"546230811","full_name":"alleyinteractive/wp-rest-api-guard","owner":"alleyinteractive","description":"Restrict and control access to the REST API","archived":false,"fork":false,"pushed_at":"2024-07-03T16:34:05.000Z","size":294,"stargazers_count":11,"open_issues_count":1,"forks_count":1,"subscribers_count":24,"default_branch":"develop","last_synced_at":"2024-09-25T22:25:45.822Z","etag":null,"topics":["rest-api","wordpress","wordpress-plugin"],"latest_commit_sha":null,"homepage":"https://wordpress.org/plugins/rest-api-guard/","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alleyinteractive.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-10-05T18:50:56.000Z","updated_at":"2024-07-12T20:56:02.000Z","dependencies_parsed_at":"2024-03-20T16:44:35.056Z","dependency_job_id":null,"html_url":"https://github.com/alleyinteractive/wp-rest-api-guard","commit_stats":{"total_commits":38,"total_committers":2,"mean_commits":19.0,"dds":"0.13157894736842102","last_synced_commit":"96cd03265fd7644f69f5a1330b6db9d615998458"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":"alleyinteractive/create-wordpress-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alleyinteractive%2Fwp-rest-api-guard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alleyinteractive%2Fwp-rest-api-guard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alleyinteractive%2Fwp-rest-api-guard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alleyinteractive%2Fwp-rest-api-guard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alleyinteractive","download_url":"https://codeload.github.com/alleyinteractive/wp-rest-api-guard/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223783042,"owners_count":17201915,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rest-api","wordpress","wordpress-plugin"],"created_at":"2024-11-09T04:13:55.249Z","updated_at":"2024-11-09T04:13:55.851Z","avatar_url":"https://github.com/alleyinteractive.png","language":"PHP","readme":"# REST API Guard\n\nStable tag: 1.3.2\n\nRequires at least: 6.0\n\nTested up to: 6.0\n\nRequires PHP: 8.0\n\nLicense: GPL v2 or later\n\nTags: alleyinteractive, rest-api-guard\n\nContributors: sean212\n\n[![Coding Standards](https://github.com/alleyinteractive/wp-rest-api-guard/actions/workflows/coding-standards.yml/badge.svg)](https://github.com/alleyinteractive/wp-rest-api-guard/actions/workflows/coding-standards.yml)\n[![Testing Suite](https://github.com/alleyinteractive/wp-rest-api-guard/actions/workflows/unit-test.yml/badge.svg)](https://github.com/alleyinteractive/wp-rest-api-guard/actions/workflows/unit-test.yml)\n\nRestrict and control access to the REST API.\n\n## Installation\n\nYou can install the package via composer:\n\n```bash\ncomposer require alleyinteractive/wp-rest-api-guard\n```\n\n## Usage\n\nThe WordPress REST API is generally very public and can share a good deal of\ninformation with the internet anonymously. This plugin aims to make it easier to\nrestrict access to the REST API for your WordPress site.\n\nOut of the box the plugin can:\n\n- Disable anonymous access to the REST API.\n- Restrict and control anonymous access to the REST API by namespace, path, etc.\n\n### Settings Page\n\nThe plugin can be configured via the Settings page (`Settings -\u003e REST API\nGuard`) or via the relevant filter.\n\n![Screenshot of plugin settings screen](https://user-images.githubusercontent.com/346399/194411352-aa05e939-3fd1-4e37-a3d5-276c1c5c288f.png)\n\n### Preventing Access to User Information (`wp/v2/users`)\n\nBy default, the plugin will restrict anonymous access to the users endpoint.\nThis can be prevented in the plugin's settings or via code:\n\n```php\nadd_filter( 'rest_api_guard_allow_user_access', fn () =\u003e true );\n```\n\n### Preventing Access to Index (`/`) or Namespace Endpoints (`wp/v2`)\n\nTo prevent anonymous users from browsing your site and discovering what plugins/post types are set up, the plugin restricts access to the index (`/`) and namespace (`wp/v2`) endpoints. This can be prevented in the plugin's settings or via code:\n\n```php\n// Allow index access.\nadd_filter( 'rest_api_guard_allow_index_access', fn () =\u003e true );\n\n// Allow namespace access.\nadd_filter( 'rest_api_guard_allow_namespace_access', fn ( string $namespace ) =\u003e true );\n```\n\n### Restrict Anonymous Access to the REST API\n\nThe plugin can restrict anonymous access for any request to the REST API in the plugin's settings or via code:\n\n```php\nadd_filter( 'rest_api_guard_prevent_anonymous_access', fn () =\u003e true );\n```\n\n### Limit Anonymous Access to Specific Namespaces/Routes (Allowlist)\n\nAnonymous users can be granted access only to specific namespaces/routes.\nRequests outside of these paths will be denied. This can be configured in the\nplugin's settings or via code:\n\n```php\nadd_filter(\n\t'rest_api_guard_anonymous_requests_allowlist',\n\tfunction ( array $paths, WP_REST_Request $request ): array {\n\t\t// Allow other paths not included here will be denied.\n\t\t$paths[] = 'wp/v2/post';\n\t\t$paths[] = 'custom-namespace/v1/public/*';\n\n\t\treturn $paths;\n\t},\n\t10,\n\t2\n);\n```\n\n### Restrict Anonymous Access to Specific Namespaces/Routes (Denylist)\n\nAnonymous users can be restricted from specific namespaces/routes. This acts as\na denylist for specific paths that an anonymous user cannot access. The paths\nsupport regular expressions for matching. The use of the\n[Allowlist](#limit-anonymous-access-to-specific-namespacesroutes-allowlist)\ntakes priority over this denylist. This can be configured in the plugin's\nsettings or via code:\n\n```php\nadd_filter(\n\t'rest_api_guard_anonymous_requests_denylist',\n\tfunction ( array $paths, WP_REST_Request $request ): array {\n\t\t$paths[] = 'wp/v2/user';\n\t\t$paths[] = 'custom-namespace/v1/private/*';\n\n\t\treturn $paths;\n\t},\n\t10,\n\t2\n);\n```\n\n### Require JSON Web Token (JWT) Authentication for Anonymous Users\n\nAnonymous users can be required to authenticate via a JSON Web Token (JWT) to\naccess the REST API. Users should pass an `Authorization: Bearer \u003ctoken\u003e` header\nwith their request. This can be configured in the plugin's settings or via code:\n\n```php\nadd_filter( 'rest_api_guard_authentication_jwt', fn () =\u003e true );\n```\n\nOut of the box, the plugin will look for a JWT in the `Authorization: Bearer\n\u003ctoken\u003e` header. The JWT will be expected to have an audience of\n'wordpress-rest-api' and issuer of the site's URL. This can be configured in the\nplugin's settings or via code:\n\n```php\nadd_filter( 'rest_api_guard_jwt_audience', fn ( string $audience ) =\u003e 'custom-audience' );\n\nadd_filter( 'rest_api_guard_jwt_issuer', fn ( string $issuer ) =\u003e 'https://example.com' );\n```\n\nThe JWT's secret will be autogenerated and stored in the\n`rest_api_guard_jwt_secret` option. The secret can also be filtered via code:\n\n```php\nadd_filter( 'rest_api_guard_jwt_secret', fn ( string $secret ) =\u003e 'my-custom-secret' );\n```\n\n### Allow JWT Authentication for Authenticated Users\n\nAuthenticated users can be authenticated with the REST API via a JSON Web Token.\nSimilar to the anonymous JWT authentication, users should pass an\n`Authorization: Bearer \u003ctoken\u003e` header with their request. This can be\nconfigured in the plugin's settings or via code:\n\n```php\nadd_filter( 'rest_api_guard_user_authentication_jwt', fn () =\u003e true );\n```\n\n### Generating JWTs for Anonymous and Authenticated Users\n\nJWTs can be generated by calling the `wp rest-api-guard generate-jwt [--user=\u003cuser_id\u003e]`\ncommand or using the `Alley\\WP\\REST_API_Guard\\generate_jwt()` method:\n\n```php\n$jwt = \\Alley\\WP\\REST_API_Guard\\generate_jwt(\n\texpiration: 3600, // Optional. The expiration time in seconds from now.\n\tuser: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.\n);\n```\n\n## Testing\n\nRun `composer test` to run tests against PHPUnit and the PHP code in the plugin.\n\n## Changelog\n\nPlease see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently.\n\n## Credits\n\nThis project is actively maintained by [Alley\nInteractive](https://github.com/alleyinteractive). Like what you see? [Come work\nwith us](https://alley.co/careers/).\n\n![Alley logo](https://avatars.githubusercontent.com/u/1733454?s=200\u0026v=4)\n\n- [Sean Fisher](https://github.com/srtfisher)\n- [All Contributors](../../contributors)\n\n## License\n\nThe GNU General Public License (GPL) license. Please see [License File](LICENSE) for more information.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falleyinteractive%2Fwp-rest-api-guard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falleyinteractive%2Fwp-rest-api-guard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falleyinteractive%2Fwp-rest-api-guard/lists"}