Create a gist now

Instantly share code, notes, and snippets.

Control WordPress REST API Access
<?php
/*
Plugin Name: WP REST API Access
Plugin URI: https://naomicbush.com
Description: Control WordPress REST API Access
Version: 1.0.0
Author: Naomi C. Bush
Author URI: https://naomicbush.com
*/
/**
* Why?
*
* https://wordpress.org/support/topic/anonymous-user-can-get-user-list-via-rest-api-is-it-a-bug-or-a-feature/
*
* "only authors (users with published, publicly-available posts) are available when listing, and only information
* that’s already public is shown.
*
* In particular, things like ID, username, display names, avatar URLs are all publicly-available via theme templates
* and feeds. We took specific care when designing the API to only expose what was already there."
*
*/
//Note that the use of an anonymous function only works on PHP7+
add_filter( 'rest_authentication_errors', function ( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() && ! current_user_can( 'administrator' ) ) {
return new WP_Error( 'rest_disabled', 'The REST API is unavailable.', array( 'status' => 401 ) );
}
return $result;
} );
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment