Control WordPress REST API Access
| <?php | |
| /* | |
| Plugin Name: WP REST API Access | |
| Plugin URI: https://naomicbush.com | |
| Description: Control WordPress REST API Access | |
| Version: 1.0.0 | |
| Author: Naomi C. Bush | |
| Author URI: https://naomicbush.com | |
| */ | |
| /** | |
| * Why? | |
| * | |
| * https://wordpress.org/support/topic/anonymous-user-can-get-user-list-via-rest-api-is-it-a-bug-or-a-feature/ | |
| * | |
| * "only authors (users with published, publicly-available posts) are available when listing, and only information | |
| * that’s already public is shown. | |
| * | |
| * In particular, things like ID, username, display names, avatar URLs are all publicly-available via theme templates | |
| * and feeds. We took specific care when designing the API to only expose what was already there." | |
| * | |
| */ | |
| //Note that the use of an anonymous function only works on PHP7+ | |
| add_filter( 'rest_authentication_errors', function ( $result ) { | |
| if ( ! empty( $result ) ) { | |
| return $result; | |
| } | |
| if ( ! is_user_logged_in() && ! current_user_can( 'administrator' ) ) { | |
| return new WP_Error( 'rest_disabled', 'The REST API is unavailable.', array( 'status' => 401 ) ); | |
| } | |
| return $result; | |
| } ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment