Control WordPress REST API Access
<?php | |
/* | |
Plugin Name: WP REST API Access | |
Plugin URI: https://naomicbush.com | |
Description: Control WordPress REST API Access | |
Version: 1.0.0 | |
Author: Naomi C. Bush | |
Author URI: https://naomicbush.com | |
*/ | |
/** | |
* Why? | |
* | |
* https://wordpress.org/support/topic/anonymous-user-can-get-user-list-via-rest-api-is-it-a-bug-or-a-feature/ | |
* | |
* "only authors (users with published, publicly-available posts) are available when listing, and only information | |
* that’s already public is shown. | |
* | |
* In particular, things like ID, username, display names, avatar URLs are all publicly-available via theme templates | |
* and feeds. We took specific care when designing the API to only expose what was already there." | |
* | |
*/ | |
//Note that the use of an anonymous function only works on PHP7+ | |
add_filter( 'rest_authentication_errors', function ( $result ) { | |
if ( ! empty( $result ) ) { | |
return $result; | |
} | |
if ( ! is_user_logged_in() && ! current_user_can( 'administrator' ) ) { | |
return new WP_Error( 'rest_disabled', 'The REST API is unavailable.', array( 'status' => 401 ) ); | |
} | |
return $result; | |
} ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment