Skip to content

Instantly share code, notes, and snippets.

@ccurtin
Last active June 20, 2023 03:46
Show Gist options
  • Save ccurtin/8982d51b6cafa5864fe25884b1fe5a25 to your computer and use it in GitHub Desktop.
Save ccurtin/8982d51b6cafa5864fe25884b1fe5a25 to your computer and use it in GitHub Desktop.
DISMISS PUBLIC ACCESS to WordPress REST API; ONLY ALLOW API ACCESS VIA SAME DOMAIN. ALLOW ADMIN ACCESS FOR ALL THOUGH.... for dynamic IPs... *Ideally*, the Server should be making the requests to the API, not the Client/User. That way, all API access is invalid except from the server. Use CORS and this snippet to block all WP access though.
# - DISMISS PUBLIC ACCESS; ONLY ALLOW API ACCESS VIA OWN DOMAIN
# - ALLOW ADMIN ACESS FOR ALL
#
# This example is in the "public_html/api/" folder where
# the WP API is installed.
#
RewriteEngine On
# If the referer is not its own domain
RewriteCond %{HTTP_REFERER} !^http?://architectura.com [NC]
# Then make it forbidden if not an admin login th
RewriteRule !^(wp-admin|wp-login\.php) - [F,L,NC]
# Below would block access to ALL directories within "/api", including WP Login pages.
# RewriteRule ^ - [L,F]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment