{"id":274801,"date":"2026-01-20T17:48:58","date_gmt":"2026-01-20T17:48:58","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/headless-rest-api-security\/"},"modified":"2026-02-22T18:49:20","modified_gmt":"2026-02-22T18:49:20","slug":"headless-rest-api-security","status":"publish","type":"plugin","link":"https:\/\/ro.wordpress.org\/plugins\/headless-rest-api-security\/","author":23365064,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"2.2","stable_tag":"2.3","tested":"6.9.4","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"Headless REST API Security","header_author":"Md. Rakib Ullah","header_description":"Secure your Headless WordPress REST API by disabling public access, enabling strict route whitelisting, and managing API authentication keys.","assets_banners_color":"225376","last_updated":"2026-02-22 18:49:20","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/headless-rest-api-security\/","header_author_uri":"https:\/\/www.linkedin.com\/in\/rakib417\/","rating":5,"author_block_rating":0,"active_installs":20,"downloads":333,"num_ratings":1,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"2.0":{"tag":"2.0","author":"rakib417","date":"2026-01-20 18:07:27"},"2.3":{"tag":"2.3","author":"rakib417","date":"2026-02-22 18:49:20"}},"upgrade_notice":[],"ratings":{"1":0,"2":0,"3":0,"4":0,"5":1},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3443475,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3443475,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3443475,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3443475,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.0","2.3"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3443475,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3443475,"resolution":"2","location":"assets","locale":""}},"screenshots":{"1":"General Settings:<\/strong> The main configuration screen with the Master Switch and Redirect URL options.","2":"Route Manager:<\/strong> The grid view for allowing or restricting specific API namespaces and endpoints."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[1912,710,141196,895,23853],"plugin_category":[38,54],"plugin_contributors":[254342],"plugin_business_model":[],"class_list":["post-274801","plugin","type-plugin","status-publish","hentry","plugin_tags-access-control","plugin_tags-authentication","plugin_tags-headless","plugin_tags-permissions","plugin_tags-rest-api","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-rakib417","plugin_committers-rakib417"],"banners":{"banner":"https:\/\/ps.w.org\/headless-rest-api-security\/assets\/banner-772x250.png?rev=3443475","banner_2x":"https:\/\/ps.w.org\/headless-rest-api-security\/assets\/banner-1544x500.png?rev=3443475","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/headless-rest-api-security\/assets\/icon-128x128.png?rev=3443475","icon_2x":"https:\/\/ps.w.org\/headless-rest-api-security\/assets\/icon-256x256.png?rev=3443475","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/headless-rest-api-security\/assets\/screenshot-1.png?rev=3443475","caption":"General Settings:<\/strong> The main configuration screen with the Master Switch and Redirect URL options."},{"src":"https:\/\/ps.w.org\/headless-rest-api-security\/assets\/screenshot-2.png?rev=3443475","caption":"Route Manager:<\/strong> The grid view for allowing or restricting specific API namespaces and endpoints."}],"raw_content":"\n

Running a Headless WordPress site often involves exposing the REST API. Headless REST API Security provides tools for administrators to control which endpoints are accessible to the public or external applications.<\/p>\n\n

This plugin restricts public access to REST API endpoints by default and offers a settings interface to allow-list only the specific routes required by a frontend application (such as Next.js, Gatsby, or mobile apps).<\/p>\n\n

Features<\/h3>\n\n
    \n
  • Access Control:<\/strong> Restrict default public access to REST API endpoints.<\/li>\n
  • Route Allow-Listing:<\/strong> Specific API routes (e.g., \/wp\/v2\/posts<\/code>) can be enabled while others remain restricted.<\/li>\n
  • API Key Authentication:<\/strong> Supports an X-API-KEY<\/code> header for server-to-server or frontend requests.<\/li>\n
  • Headless Redirect:<\/strong> Option to redirect users accessing the backend API URL to a specified frontend domain.<\/li>\n
  • Admin Access:<\/strong> Logged-in Administrators and Editors retain access to the API to support the Block Editor (Gutenberg) functionality.<\/li>\n
  • Plugin Support:<\/strong> Detects routes registered by third-party plugins for configuration.<\/li>\n<\/ul>\n\n

    Usage<\/h3>\n\n
      \n
    1. Navigate to Settings > Headless Security<\/strong> in the WordPress dashboard.<\/li>\n
    2. Enable the Master Switch<\/strong> to activate the access restrictions.<\/li>\n
    3. Review the list of REST API routes and check the Allow<\/strong> box for endpoints the application requires.<\/li>\n
    4. Copy the generated API Key<\/strong> for use in application headers.<\/li>\n
    5. (Optional) Enter a Headless Frontend URL<\/strong> to configure redirects for visitors.<\/li>\n<\/ol>\n\n\n
        \n
      1. Upload the plugin files to the \/wp-content\/plugins\/headless-rest-api-security<\/code> directory, or install the plugin through the WordPress plugins screen.<\/li>\n
      2. Activate the plugin through the 'Plugins' screen in WordPress.<\/li>\n
      3. Go to the Headless Security<\/strong> menu to configure allowed routes.<\/li>\n<\/ol>\n\n\n
        \n

        Does this modify WordPress Core files?<\/h3><\/dt>\n

        No. The plugin uses standard WordPress hooks (rest_authentication_errors<\/code> and template_redirect<\/code>) to manage access.<\/p><\/dd>\n

        Will this affect the Block Editor (Gutenberg)?<\/h3><\/dt>\n

        The plugin checks for logged-in users with the edit_posts<\/code> capability, allowing the backend editor to function normally while restrictions are active.<\/p><\/dd>\n

        Can I use this with custom endpoints?<\/h3><\/dt>\n

        Yes. Registered REST API routes appear in the settings list and can be allow-listed.<\/p><\/dd>\n

        Where is the API Key placed?<\/h3><\/dt>\n

        The key is sent in the request header. Example:\n X-API-KEY: your_generated_key_here<\/p><\/dd>\n\n<\/dl>\n\n\n

        2.3<\/h4>\n\n
          \n
        • Fix: Resolved a critical error on the settings page caused by third-party plugin conflicts with REST API initialization.<\/li>\n
        • Fix: Resolved stable tag and version mismatch issues for WordPress.org compliance.<\/li>\n<\/ul>\n\n

          2.2<\/h4>\n\n
            \n
          • Updated UI styles for better accessibility.<\/li>\n
          • Improved checkbox contrast.<\/li>\n<\/ul>\n\n

            2.1<\/h4>\n\n
              \n
            • Minor code improvements.<\/li>\n<\/ul>\n\n

              2.0<\/h4>\n\n
                \n
              • Added route allow-listing functionality.<\/li>\n
              • Added headless frontend redirect feature.<\/li>\n
              • Added admin bypass for authenticated users.<\/li>\n<\/ul>\n\n

                1.0<\/h4>\n\n
                  \n
                • Initial release.<\/li>\n<\/ul>","raw_excerpt":"Manage access to the WordPress REST API by restricting public endpoints, enabling specific route allow-listing, and handling API key authentication.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/274801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=274801"}],"author":[{"embeddable":true,"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/rakib417"}],"wp:attachment":[{"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=274801"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=274801"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=274801"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=274801"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=274801"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ro.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=274801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}