[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1FwSI01-MwyMLH6MlnX9SDGu0qNyRamF-uLQx89uAZU":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":20,"download_link":21,"security_score":11,"vuln_count":22,"unpatched_count":22,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":26,"crawl_stats":23,"alternatives":34,"analysis":35,"fingerprints":81},"rest-api-guard","REST API Guard","1.4.1","Sean Fisher","https:\u002F\u002Fprofiles.wordpress.org\u002Fsean212\u002F","\u003Cp>Restrict and control access to the REST API.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>The WordPress REST API is generally very public and can share a good deal of information with the internet anonymously. This plugin aims to make it easier to restrict access to the REST API for your WordPress site.\u003C\u002Fp>\n\u003Cp>Out of the box the plugin can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable anonymous access to the REST API.\u003C\u002Fli>\n\u003Cli>Restrict and control anonymous access to the REST API by namespace, path, etc.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Settings Page\u003C\u002Fh3>\n\u003Cp>The plugin can be configured via the Settings page (\u003Ccode>Settings -> REST API Guard\u003C\u002Fcode>) or via the relevant filter.\u003C\u002Fp>\n\u003C\u002Fp>\n\u003Ch3>Preventing Access to User Information (\u003Ccode>wp\u002Fv2\u002Fusers\u003C\u002Fcode>)\u003C\u002Fh3>\n\u003Cp>By default, the plugin will restrict anonymous access to the users endpoint. This can be prevented in the plugin’s settings or via code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'rest_api_guard_allow_user_access', fn () => true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Preventing Access to Index (\u003Ccode>\u002F\u003C\u002Fcode>) or Namespace Endpoints (\u003Ccode>wp\u002Fv2\u003C\u002Fcode>)\u003C\u002Fh3>\n\u003Cp>To prevent anonymous users from browsing your site and discovering what plugins\u002Fpost types are setup, the plugin restricts access to the index (\u003Ccode>\u002F\u003C\u002Fcode>) and namespace (\u003Ccode>wp\u002Fv2\u003C\u002Fcode>) endpoints. This can be prevented in the plugin’s settings or via code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F\u002F Allow index access.\nadd_filter( 'rest_api_guard_allow_index_access', fn () => true );\n\n\u002F\u002F Allow namespace access.\nadd_filter( 'rest_api_guard_allow_namespace_access', fn ( string $namespace ) => true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Restrict Anonymous Access to the REST API\u003C\u002Fh3>\n\u003Cp>The plugin can restrict anonymous access for any request to the REST API in the plugin’s settings or via code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'rest_api_guard_prevent_anonymous_access', fn () => true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Limit Anonymous Access to Specific Namespaces\u002FRoutes (Allowlist)\u003C\u002Fh3>\n\u003Cp>Anonymous users can be granted access only to specific namespaces\u002Froutes. Requests outside of these paths will be denied. This can be configured in the plugin’s settings or via code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter(\n    'rest_api_guard_anonymous_requests_allowlist',\n    function ( array $paths, WP_REST_Request $request ): array {\n        \u002F\u002F Allow other paths not included here will be denied.\n        $paths[] = 'wp\u002Fv2\u002Fpost';\n        $paths[] = 'custom-namespace\u002Fv1\u002Fpublic\u002F*';\n\n        return $paths;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Restrict Anonymous Access to Specific Namespaces\u002FRoutes (Denylist)\u003C\u002Fh3>\n\u003Cp>Anonymous users can be restricted from specific namespaces\u002Froutes. This acts as\u003Cbr \u002F>\na denylist for specific paths that an anonymous user cannot access. The paths\u003Cbr \u002F>\nsupport regular expressions for matching. The use of the allowlist takes\u003Cbr \u002F>\npriority over this denylist. This can be configured in the plugin’s settings or\u003Cbr \u002F>\nvia code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter(\n    'rest_api_guard_anonymous_requests_denylist',\n    function ( array $paths, WP_REST_Request $request ): array {\n        $paths[] = 'wp\u002Fv2\u002Fuser';\n        $paths[] = 'custom-namespace\u002Fv1\u002Fprivate\u002F*';\n\n        return $paths;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Require JSON Web Token (JWT) Authentication\u003C\u002Fh3>\n\u003Cp>Anonymous users can be required to authenticate via a JSON Web Token (JWT) to\u003Cbr \u002F>\naccess the REST API. Users should pass an \u003Ccode>Authorization: Bearer \u003Ctoken>\u003C\u002Fcode> header\u003Cbr \u002F>\nwith their request. This can be configured in the plugin’s settings or via code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'rest_api_guard_authentication_jwt', fn () => true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Out of the box, the plugin will look for a JWT in the \u003Ccode>Authorization: Bearer\u003Cbr \u002F>\n\u003Ctoken>\u003C\u002Fcode> header. The JWT will be expected to have an audience of\u003Cbr \u002F>\n‘wordpress-rest-api’ and issuer of the site’s URL. This can be configured in the\u003Cbr \u002F>\nplugin’s settings or via code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter(\n    'rest_api_guard_jwt_audience',\n    function ( string $audience ): string {\n        return 'custom-audience';\n    }\n);\n\nadd_filter(\n    'rest_api_guard_jwt_issuer',\n    function ( string $issuer ): string {\n        return 'https:\u002F\u002Fexample.com';\n    }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The JWT’s secret will be autogenerated and stored in the database in the\u003Cbr \u002F>\n    rest_api_guard_jwt_secret option. The secret can also be changed via code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter(\n    'rest_api_guard_jwt_secret',\n    function ( string $secret ): string {\n        return 'my-custom-secret';\n    }\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Allow JWT Authentication for Authenticated Users\u003C\u002Fh3>\n\u003Cp>Authenticated users can be authenticated with the REST API via a JSON Web Token.\u003Cbr \u002F>\nSimilar to the anonymous JWT authentication, users should pass an\u003Cbr \u002F>\n    Authorization: Bearer  header with their request. This can be\u003Cbr \u002F>\nconfigured in the plugin’s settings or via code:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>Generating JWTs for Anonymous and Authenticated Users\u003C\u002Fh3>\n\u003Cp>JWTs can be generated by calling the\u003Cbr \u002F>\n    wp rest-api-guard generate-jwt [–user=] command or using the\u003Cbr \u002F>\n    Alley\\WP\\REST_API_Guard\\generate_jwt() method:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>$jwt = \\Alley\\WP\\REST_API_Guard\\generate_jwt(\n    expiration: 3600, \u002F\u002F Optional. The expiration time in seconds from now.\n    user: 1, \u002F\u002F Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Restrict and control access to the REST API.",100,3587,2,"2025-09-09T20:00:00.000Z","6.8.5","6.5","8.1",[19,4],"alleyinteractive","https:\u002F\u002Fgithub.com\u002Falleyinteractive\u002Fwp-rest-api-guard","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frest-api-guard.1.4.1.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":27,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":29,"avg_security_score":30,"avg_patch_time_days":31,"trust_score":32,"computed_at":33},"sean212",5,10200,88,30,86,"2026-04-04T15:30:09.499Z",[],{"attackSurface":36,"codeSignals":57,"taintFlows":69,"riskAssessment":70,"analyzedAt":80},{"hooks":37,"ajaxHandlers":53,"restRoutes":54,"shortcodes":55,"cronEvents":56,"entryPointCount":22,"unprotectedCount":22},[38,45,50],{"type":39,"name":40,"callback":41,"priority":42,"file":43,"line":44},"filter","rest_pre_dispatch","anonymous",10,"plugin.php",39,{"type":46,"name":47,"callback":41,"file":48,"line":49},"action","admin_menu","settings.php",16,{"type":46,"name":51,"callback":41,"file":48,"line":52},"admin_init",17,[],[],[],[],{"dangerousFunctions":58,"sqlUsage":59,"outputEscaping":61,"fileOperations":22,"externalRequests":22,"nonceChecks":22,"capabilityChecks":22,"bundledLibraries":68},[],{"prepared":22,"raw":22,"locations":60},[],{"escaped":62,"rawEcho":63,"locations":64},9,1,[65],{"file":66,"line":49,"context":67},"cli.php","raw output",[],[],{"summary":71,"deductions":72},"The static analysis of rest-api-guard v1.4.1 reveals a generally strong security posture. The plugin exhibits excellent practices regarding SQL queries, utilizing prepared statements exclusively, and demonstrates a high level of output escaping, with only one instance of potentially unescaped output. The absence of dangerous functions, file operations, external HTTP requests, and any identified taint flows further enhances its security.  Furthermore, the plugin has no recorded vulnerability history, including no known CVEs, which is a significant positive indicator.\n\nHowever, a notable concern arises from the complete lack of nonces and capability checks. While the plugin reports zero unprotected entry points, the absence of these fundamental security mechanisms means that all AJAX handlers, REST API routes, and other potential interaction points are not explicitly protected by WordPress's built-in security features. This could leave the plugin vulnerable to various attacks if any entry points were to be introduced or overlooked in future development. The lack of taint analysis results also means we cannot definitively rule out potential vulnerabilities that might not be caught by simple code signals. Therefore, while the current code appears clean and history is unblemished, the reliance on an assumed lack of direct exploitable entry points without explicit WordPress security checks is a weakness.",[73,75,77],{"reason":74,"points":42},"No nonce checks implemented",{"reason":76,"points":42},"No capability checks implemented",{"reason":78,"points":79},"Potential unescaped output found",3,"2026-03-16T20:46:13.701Z",{"wat":82,"direct":93},{"assetPaths":83,"generatorPatterns":86,"scriptPaths":87,"versionParams":89},[84,85],"\u002Fwp-content\u002Fplugins\u002Frest-api-guard\u002Fcss\u002Fadmin-style.css","\u002Fwp-content\u002Fplugins\u002Frest-api-guard\u002Fcss\u002Fsettings.css",[],[88],"\u002Fwp-content\u002Fplugins\u002Frest-api-guard\u002Fjs\u002Fsettings.js",[90,91,92],"rest-api-guard\u002Fcss\u002Fadmin-style.css?ver=","rest-api-guard\u002Fcss\u002Fsettings.css?ver=","rest-api-guard\u002Fjs\u002Fsettings.js?ver=",{"cssClasses":94,"htmlComments":96,"htmlAttributes":98,"restEndpoints":99,"jsGlobals":101,"shortcodeOutput":103},[95],"rest-api-guard-settings",[97],"REST API Guard Settings",[],[100],"\u002Fwp-json\u002Frest-api-guard\u002Fv1",[102],"rest_api_guard_settings",[]]