Control WordPress REST API Access
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| Plugin Name: WP REST API Access | |
| Plugin URI: https://naomicbush.com | |
| Description: Control WordPress REST API Access | |
| Version: 1.0.0 | |
| Author: Naomi C. Bush | |
| Author URI: https://naomicbush.com | |
| */ | |
| /** | |
| * Why? | |
| * | |
| * https://wordpress.org/support/topic/anonymous-user-can-get-user-list-via-rest-api-is-it-a-bug-or-a-feature/ | |
| * | |
| * "only authors (users with published, publicly-available posts) are available when listing, and only information | |
| * that’s already public is shown. | |
| * | |
| * In particular, things like ID, username, display names, avatar URLs are all publicly-available via theme templates | |
| * and feeds. We took specific care when designing the API to only expose what was already there." | |
| * | |
| */ | |
| //Note that the use of an anonymous function only works on PHP7+ | |
| add_filter( 'rest_authentication_errors', function ( $result ) { | |
| if ( ! empty( $result ) ) { | |
| return $result; | |
| } | |
| if ( ! is_user_logged_in() && ! current_user_can( 'administrator' ) ) { | |
| return new WP_Error( 'rest_disabled', 'The REST API is unavailable.', array( 'status' => 401 ) ); | |
| } | |
| return $result; | |
| } ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment