-
-
Save ValeriiVasyliev/ea3582581d59c1892b42930b277d3e74 to your computer and use it in GitHub Desktop.
DISMISS PUBLIC ACCESS to WordPress REST API; ONLY ALLOW API ACCESS VIA SAME DOMAIN. ALLOW ADMIN ACCESS FOR ALL THOUGH.... for dynamic IPs... *Ideally*, the Server should be making the requests to the API, not the Client/User. That way, all API access is invalid except from the server. Use CORS and this snippet to block all WP access though.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # - DISMISS PUBLIC ACCESS; ONLY ALLOW API ACCESS VIA OWN DOMAIN | |
| # - ALLOW ADMIN ACESS FOR ALL | |
| # | |
| # This example is in the "public_html/api/" folder where | |
| # the WP API is installed. | |
| # | |
| RewriteEngine On | |
| # If the referer is not its own domain | |
| RewriteCond %{HTTP_REFERER} !^http?://architectura.com [NC] | |
| # Then make it forbidden if not an admin login th | |
| RewriteRule !^(wp-admin|wp-login\.php) - [F,L,NC] | |
| # Below would block access to ALL directories within "/api", including WP Login pages. | |
| # RewriteRule ^ - [L,F] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment