[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFiukO3sbd9KDaR5_t7mbfrkQYpuEK22qHtgHAZb-OXY":3,"$fraohwvlv3bgTwFJE-mBhdPBCGxAEIY7V2HtaznQ4ERw":175,"$f0RY6JMoohwrk_6rGZOIxlV_M4_zWQS1sNT6_jHJP7QU":180},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":23,"download_link":24,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":30,"crawl_stats":26,"alternatives":35,"analysis":135,"fingerprints":161},"rest-api-only","REST API Only","1.0.2","jakubkanna","https:\u002F\u002Fprofiles.wordpress.org\u002Fjakubkanna\u002F","\u003Cp>This plugin forces all non-admin, non-AJAX, and non-REST API requests to return a 404 status code.\u003Cbr \u002F>\nIdeal for headless WordPress environments or sites that should expose only the API.\u003C\u002Fp>\n","Force all non-admin, non-AJAX, and non-REST API requests to return a 404 for headless or API-only sites.",0,152,"2025-12-17T12:58:00.000Z","6.9.4","5.0","",[18,19,20,21,22],"404","api","headless","rest","security","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Frest-api-only\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frest-api-only.1.0.2.zip",100,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":31,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":32,"trust_score":33,"computed_at":34},4,30,94,"2026-05-20T00:14:14.593Z",[36,53,77,100,120],{"slug":37,"name":38,"version":39,"author":40,"author_profile":41,"description":42,"short_description":43,"active_installs":11,"downloaded":44,"rating":11,"num_ratings":11,"last_updated":45,"tested_up_to":14,"requires_at_least":46,"requires_php":47,"tags":48,"homepage":16,"download_link":52,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"headlesskey-jwt-auth","HeadlessKey – JWT Auth","1.0.0","Hidayat Mahetar","https:\u002F\u002Fprofiles.wordpress.org\u002Fhidayatsafewp\u002F","\u003Cp>\u003Cstrong>HeadlessKey – JWT Auth\u003C\u002Fstrong> extends the REST API to provide a robust and secure authentication system using JSON Web Tokens (JWT). Designed for Headless WordPress, it enables seamless user authentication, registration, and session management via standard REST endpoints.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Standard JWT Authentication\u003C\u002Fstrong>: Secure user authentication using industry-standard RFC 7519 tokens.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple Algorithms\u003C\u002Fstrong>: Support for \u003Ccode>HS256\u003C\u002Fcode>, \u003Ccode>RS256\u003C\u002Fcode>, and \u003Ccode>ES256\u003C\u002Fcode> signing algorithms.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comprehensive Endpoints\u003C\u002Fstrong>: Ready-to-use endpoints for Login, Register, Token Refresh, and Password Management.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Single Sign-On (SSO)\u003C\u002Fstrong>: Connect multiple sites with a secure, headers-based SSO exchange mechanism.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role-Based Access Control (RBAC)\u003C\u002Fstrong>: Configure public or authenticated access for every endpoint.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Brute Force Protection\u003C\u002Fstrong>: Protects against attacks by locking users\u002FIPs after failed attempts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Activity Logs\u003C\u002Fstrong>: Detailed audit trail of all authentication events, including IP and device data.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Webhooks\u003C\u002Fstrong>: Real-time JSON events sent to your external services for monitoring key actions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Device Limits\u003C\u002Fstrong>: Restrict the number of active devices\u002Fsessions per user.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer Friendly\u003C\u002Fstrong>: Extensive hooks and filters for deep customization.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Configuration\u003C\u002Fh3>\n\u003Ch3>Secret Key\u003C\u002Fh3>\n\u003Cp>The plugin uses a secret key to sign tokens. By default, a secure random key is generated. For better security and consistency across environments, define your key in \u003Ccode>wp-config.php\u003C\u002Fcode>:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_SECRET_KEY', 'your-long-random-secure-string');\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>You can generate a strong salt here: \u003Ca href=\"https:\u002F\u002Fapi.wordpress.org\u002Fsecret-key\u002F1.1\u002Fsalt\u002F\" rel=\"nofollow ugc\">WordPress Salt Generator\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>CORS Support\u003C\u002Fh3>\n\u003Cp>Cross-Origin Resource Sharing (CORS) is enabled by default to allow frontend applications to connect. To disable or customize it via constant:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_CORS', true); \u002F\u002F or false to disable\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch3>REST API Namespace\u003C\u002Fh3>\n\u003Cp>By default, endpoints are under \u003Ccode>wp-json\u002Fwpauthapi\u002Fv1\u003C\u002Fcode>. You can customize this namespace:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define('headlesskey_REST_NAMESPACE', 'my-custom-auth');\ndefine('headlesskey_REST_VERSION', 'v2');\u003Ch3>Endpoints\u003C\u002Fh3>\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>The plugin adds the following endpoints under the \u003Ccode>\u002Fwp-json\u002Fheadlesskey\u002Fv1\u003C\u002Fcode> namespace:\u003C\u002Fp>\n\u003Cp>  Endpoint\u003Cbr \u002F>\n  HTTP Verb\u003Cbr \u002F>\n  Description\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Login\u003C\u002Fstrong>: Exchange username\u002Fpassword for a JWT.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Validate\u003C\u002Fstrong>: Check if a token validity.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Refresh\u003C\u002Fstrong>: Exchange a valid token for a new one (rotation).\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Logout\u003C\u002Fstrong>: Invalidate a specific token.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Register\u003C\u002Fstrong>: Create a new user account.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Profile\u003C\u002Fstrong>: Login and get full user profile data in one request.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Recover\u003C\u002Fstrong>: Request a password reset via Link or OTP.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Reset\u003C\u002Fstrong>: Set a new password using a token or OTP.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>Update\u003C\u002Fstrong>: Change password for authenticated user.\u003C\u002Fp>\n\u003Cp>  \u003Ccode>\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n  POST\u003Cbr \u002F>\n  \u003Cstrong>SSO\u003C\u002Fstrong>: Exchange a remote site token for a local session.\u003C\u002Fp>\n\u003Ch3>1. Login (Generate Token)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Authenticate a user and generate a JWT token.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"admin\",\u003Cbr \u002F>\n  \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n  \"expires_in\": 3600,\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\",\u003Cbr \u002F>\n    \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"Administrator\",\u003Cbr \u002F>\n    \"roles\": [\"administrator\"]\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"refreshable\": true,\u003Cbr \u002F>\n  \"jti\": \"545086b9-450f-488b-a70d-3047d14d1101\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>2. Validate Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Fvalidate\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Validate if an existing token is valid.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"valid\": true,\u003Cbr \u002F>\n  \"data\": {\u003Cbr \u002F>\n    \"iss\": \"https:\u002F\u002Fexample.com\",\u003Cbr \u002F>\n    \"iat\": 1698393600,\u003Cbr \u002F>\n    \"exp\": 1698397200,\u003Cbr \u002F>\n    \"data\": {\u003Cbr \u002F>\n      \"ID\": 1,\u003Cbr \u002F>\n      \"user_login\": \"admin\"\u003Cbr \u002F>\n    }\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>3. Refresh Token\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frefresh\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Rotate an expiring token for a fresh one.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.new...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T11:00:00+00:00\",\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\"\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"jti\": \"new-uuid-v4\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>4. Revoke Token (Logout)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Ftoken\u002Frevoke\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Invalidate a token immediately.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Token revoked successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>5. Register User\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fregister\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Create a new user account.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"johndoe\",\u003Cbr \u002F>\n  \"email\": \"john@example.com\",\u003Cbr \u002F>\n  \"password\": \"secure-password\",\u003Cbr \u002F>\n  \"name\": \"John Doe\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"user_id\": 45,\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 45,\u003Cbr \u002F>\n    \"user_login\": \"johndoe\",\u003Cbr \u002F>\n    \"user_email\": \"john@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"John Doe\",\u003Cbr \u002F>\n    \"roles\": [\"subscriber\"]\u003Cbr \u002F>\n  },\u003Cbr \u002F>\n  \"token_response\": {\u003Cbr \u002F>\n    \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOi...\",\u003Cbr \u002F>\n    \"expiration\": \"2023-10-27T10:00:00+00:00\"\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>6. User Profile (Login Extended)\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Flogin\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Alternative login endpoint that returns cleaner profile structure.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"username\": \"admin\",\u003Cbr \u002F>\n  \"password\": \"secret-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"token\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...\",\u003Cbr \u002F>\n  \"expiration\": \"2023-10-27T10:00:00+00:00\",\u003Cbr \u002F>\n  \"user\": {\u003Cbr \u002F>\n    \"ID\": 1,\u003Cbr \u002F>\n    \"user_login\": \"admin\",\u003Cbr \u002F>\n    \"user_email\": \"admin@example.com\",\u003Cbr \u002F>\n    \"display_name\": \"Administrator\",\u003Cbr \u002F>\n    \"roles\": [\"administrator\"]\u003Cbr \u002F>\n  }\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>7. Forgot Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fforgot-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Initiate password recovery. Note: \u003Ccode>delivery\u003C\u002Fcode> can be \u003Ccode>link\u003C\u002Fcode> or \u003Ccode>otp\u003C\u002Fcode>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"login\": \"admin@example.com\",\u003Cbr \u002F>\n  \"delivery\": \"link\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password reset email sent.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>8. Reset Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Freset-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Reset password using the token sent via email or OTP.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request (Link method):\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"login\": \"admin@example.com\",\u003Cbr \u002F>\n  \"password\": \"new-secure-password\",\u003Cbr \u002F>\n  \"token\": \"generated-reset-key\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password updated successfully.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>9. Change Password\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fchange-password\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Change password for currently authenticated user. Requires \u003Ccode>Authorization\u003C\u002Fcode> header.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n    Authorization: Bearer \u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"current_password\": \"old-password\",\u003Cbr \u002F>\n  \"new_password\": \"new-secure-password\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"message\": \"Password changed successfully. Please login again.\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Ch3>10. SSO Token Exchange\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Endpoint:\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fheadlesskey\u002Fv1\u002Fsso\u002Fexchange\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Cstrong>Description:\u003C\u002Fstrong> Securely exchange a token from a connected remote site for a local authentication session. This powers the distributed Single Sign-On network.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Request:\u003C\u002Fstrong>\u003Cbr \u002F>\n    \u003Ccode>json\u003Cbr \u002F>\n{\u003Cbr \u002F>\n  \"site_key\": \"remote-site-id\",\u003Cbr \u002F>\n  \"token\": \"remote-jwt-token\",\u003Cbr \u002F>\n  \"signature\": \"hmac-sha256-signature\"\u003Cbr \u002F>\n}\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Response:\u003C\u002Fstrong>\u003Cbr \u002F>\nReturns a standard \u003Cstrong>Login\u003C\u002Fstrong> response (Token + User Data) if the signature is valid.\u003C\u002Fp>\n","A complete authentication solution for Headless WordPress applications using JWT, supporting Registration, SSO, RBAC, and advanced Security features.",210,"2026-02-08T10:59:00.000Z","6.0","8.0",[49,20,50,51,22],"authentication","jwt","rest-api","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fheadlesskey-jwt-auth.1.0.0.zip",{"slug":54,"name":55,"version":56,"author":57,"author_profile":58,"description":59,"short_description":60,"active_installs":61,"downloaded":62,"rating":63,"num_ratings":64,"last_updated":65,"tested_up_to":14,"requires_at_least":66,"requires_php":67,"tags":68,"homepage":16,"download_link":73,"security_score":74,"vuln_count":75,"unpatched_count":11,"last_vuln_date":76,"fetched_at":27},"advanced-access-manager","Advanced Access Manager – Access Governance for WordPress","7.1.0","AAM Plugin","https:\u002F\u002Fprofiles.wordpress.org\u002Fvasyltech\u002F","\u003Cp>\u003Cstrong>Advanced Access Manager (AAM)\u003C\u002Fstrong> introduces \u003Cstrong>Access Governance for WordPress\u003C\u002Fstrong> – a systematic approach to securing your site by controlling who can access what, when, and why.\u003C\u002Fp>\n\u003Cp>Most WordPress security plugins focus on external threats like malware, firewalls, and brute-force attacks. AAM addresses the \u003Cstrong>root cause of the #1 WordPress security risk: broken access controls, excessive privileges, and misconfigured roles\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Instead of reacting to attacks, AAM helps you \u003Cstrong>design security into your WordPress site\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch4>What Access Governance means in practice\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Mitigate Broken Access Controls\u003C\u002Fstrong>. Ensure roles, users, and permissions are correctly configured to prevent unauthorized actions and privilege escalation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Eliminate Excessive Privileges\u003C\u002Fstrong>. Identify overpowered users and reduce access to critical functionality, admin areas, and APIs.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Secure Content by Design\u003C\u002Fstrong>. Control who can view, edit, publish, or delete posts, pages, media, taxonomies, and custom content types.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Govern Access with Policy\u003C\u002Fstrong>. Define access rules using JSON Access Policies — portable, auditable, and automation-friendly.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Build Custom Security Logic\u003C\u002Fstrong>. Use the AAM PHP Framework to create advanced, programmatic access controls tailored to your application.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Security Audit\u003C\u002Fstrong>. Detect risky role assignments, misconfigurations, and compromised accounts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Granular Access Control\u003C\u002Fstrong>. Manage permissions for any user, role, or visitor with precision.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role & Capability Management\u003C\u002Fstrong>. Customize WordPress roles and capabilities beyond defaults.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Admin & Menu Control\u003C\u002Fstrong>. Restrict dashboard areas and tailor the admin experience per user or role.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>API & Endpoint Protection\u003C\u002Fstrong>. Secure REST and XML-RPC access with fine-grained controls.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Modern Authentication Options\u003C\u002Fstrong>. Support passwordless and secure login flows.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Developer-Ready Framework\u003C\u002Fstrong>. Extend WordPress security using AAM’s powerful SDK.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Ad-Free & Transparent\u003C\u002Fstrong>. – No ads, no tracking, no bloat.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Built for Security-Conscious WordPress Users\u003C\u002Fh4>\n\u003Cp>AAM is trusted by \u003Cstrong>150,000+ websites\u003C\u002Fstrong> to deliver enterprise-grade access control without unnecessary complexity. Whether you’re a site owner, agency, developer, or security professional, AAM gives you \u003Cstrong>full control over WordPress access — by design\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Most core features are free. Advanced capabilities are available via premium add-ons.\u003C\u002Fp>\n\u003Cp>No hidden tracking. No data collection. No unwanted changes.\u003Cbr \u002F>\nJust \u003Cstrong>security you can reason about, audit, and trust\u003C\u002Fstrong>.\u003C\u002Fp>\n","Access Governance for WordPress. Control roles, users, content, admin areas, and APIs to prevent broken access controls and excessive privileges.",100000,7412197,84,420,"2026-03-08T15:53:00.000Z","5.8.0","5.6.0",[69,70,71,22,72],"access-governance","api-security","restricted-content","user-roles","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-access-manager.7.1.0.zip",95,11,"2024-03-20 00:00:00",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":87,"num_ratings":88,"last_updated":89,"tested_up_to":14,"requires_at_least":46,"requires_php":90,"tags":91,"homepage":95,"download_link":96,"security_score":97,"vuln_count":98,"unpatched_count":11,"last_vuln_date":99,"fetched_at":27},"wp-graphql","WPGraphQL","2.11.2","Jason Bahl","https:\u002F\u002Fprofiles.wordpress.org\u002Fjasonbahl\u002F","\u003Cp>WPGraphQL is a free, open-source WordPress plugin that provides an extendable GraphQL schema and API for any WordPress site.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Get Started\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Install WPGraphQL: \u003Ccode>wp plugin install wp-graphql --activate\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Try it out: \u003Ca href=\"https:\u002F\u002Frepl.wpgraphql.com\" rel=\"nofollow ugc\">Live Demo\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Read the \u003Ca href=\"https:\u002F\u002Fwpgraphql.com\u002Fdocs\u002Fquick-start\" rel=\"nofollow ugc\">Quick Start Guide\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>Join the \u003Ca href=\"https:\u002F\u002Fdiscord.gg\u002FAGVBqqyaUY\" rel=\"nofollow ugc\">Community on Discord\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwp-graphql\u002Fwp-graphql\" rel=\"nofollow ugc\">Star the Repo\u003C\u002Fa>!\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>\u003Cstrong>Key Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Flexible API\u003C\u002Fstrong>: Query posts, pages, custom post types, taxonomies, users, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Extendable Schema\u003C\u002Fstrong>: Easily add functionality with WPGraphQL’s API, enabling custom integrations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Compatible with Modern Frameworks\u003C\u002Fstrong>: Works seamlessly with \u003Ca href=\"https:\u002F\u002Fvercel.com\u002Fguides\u002Fwordpress-with-vercel\" rel=\"nofollow ugc\">Next.js\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fdocs.astro.build\u002Fen\u002Fguides\u002Fcms\u002Fwordpress\u002F\" rel=\"nofollow ugc\">Astro\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.okupter.com\u002Fblog\u002Fheadless-wordpress-graphql-sveltekit\" rel=\"nofollow ugc\">SvelteKit\u003C\u002Fa>, and more.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Optimized Performance\u003C\u002Fstrong>: Fetch exactly the data you need in a single query. Boost performance with \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwp-graphql\u002Fwp-graphql\u002Ftree\u002Fmain\u002Fplugins\u002Fwp-graphql-smart-cache\" rel=\"nofollow ugc\">WPGraphQL Smart Cache\u003C\u002Fa>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>WPGraphQL is becoming a \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fnews\u002F2024\u002F10\u002Fwpgraphql\u002F\" rel=\"ugc\">Canonical Plugin\u003C\u002Fa> on WordPress.org, ensuring long-term support and a growing community of users and contributors.\u003C\u002Fp>\n\u003Ch4>Upgrading\u003C\u002Fh4>\n\u003Cp>It is recommended that anytime you want to update WPGraphQL that you get familiar with what’s changed in the release.\u003C\u002Fp>\n\u003Cp>WPGraphQL publishes \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwp-graphql\u002Fwp-graphql\u002Freleases\" rel=\"nofollow ugc\">release notes on Github\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>WPGraphQL has been following Semver practices for a few years. We will continue to follow Semver and let version numbers communicate meaning. The summary of Semver versioning is as follows:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cem>MAJOR\u003C\u002Fem> version when you make incompatible API changes,\u003C\u002Fli>\n\u003Cli>\u003Cem>MINOR\u003C\u002Fem> version when you add functionality in a backwards compatible manner, and\u003C\u002Fli>\n\u003Cli>\u003Cem>PATCH\u003C\u002Fem> version when you make backwards compatible bug fixes.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can read more about the details of Semver at semver.org\u003C\u002Fp>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>WPGraphQL uses \u003Ca href=\"https:\u002F\u002Fappsero.com\" rel=\"nofollow ugc\">Appsero\u003C\u002Fa> SDK to collect some telemetry data upon user’s confirmation. This helps us to troubleshoot problems faster and make product improvements.\u003C\u002Fp>\n\u003Cp>Appsero SDK \u003Cstrong>does not gather any data by default.\u003C\u002Fstrong> The SDK starts gathering basic telemetry data \u003Cstrong>only when a user allows it via the admin notice\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>Learn more about how \u003Ca href=\"https:\u002F\u002Fappsero.com\u002Fprivacy-policy\u002F\" rel=\"nofollow ugc\">Appsero collects and uses this data\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Learn more about how \u003Ca href=\"https:\u002F\u002Fappsero.com\u002Fprivacy-policy\u002F\" rel=\"nofollow ugc\">Appsero collects and uses this data\u003C\u002Fa>.\u003C\u002Fp>\n","WPGraphQL adds a flexible and powerful GraphQL API to WordPress, enabling efficient querying and interaction with your site's data.",30000,1430860,98,48,"2026-04-13T18:05:00.000Z","7.4",[92,93,20,94,51],"decoupled","graphql","react","https:\u002F\u002Fgithub.com\u002Fwp-graphql\u002Fwp-graphql","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-graphql.2.11.2.zip",80,9,"2026-05-07 00:00:00",{"slug":101,"name":102,"version":103,"author":104,"author_profile":105,"description":106,"short_description":107,"active_installs":108,"downloaded":109,"rating":25,"num_ratings":110,"last_updated":111,"tested_up_to":112,"requires_at_least":113,"requires_php":114,"tags":115,"homepage":117,"download_link":118,"security_score":119,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"smntcs-disable-rest-api-user-endpoints","SMNTCS Disable REST API User Endpoints","2.4","Niels Lange","https:\u002F\u002Fprofiles.wordpress.org\u002Fnielslange\u002F","\u003Cp>With WordPress 4.7 the REST API is part of the core. At the moment everyone has read access to the REST API. As a result of that a potential intruder can retrieve a list of all user slugs via \u003Ccode>\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u003C\u002Fcode>. This plugin disables the REST API user endpoints to obscure the user slugs.\u003C\u002Fp>\n\u003Ch3>Contribute\u003C\u002Fh3>\n\u003Cp>Contributions are more than welcome. Simply head over to \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fnielslange\u002Fsmntcs-disable-rest-api-user-endpoints\u002F\" rel=\"nofollow ugc\">Github\u003C\u002Fa> and open an issue or a pull request.\u003C\u002Fp>\n","Disable the REST API user endpoints due to obscure user slugs.",6000,29425,2,"2024-12-31T06:23:00.000Z","6.7.5","5.5","5.6",[116,51,22],"endpoints","https:\u002F\u002Fgithub.com\u002Fnielslange\u002Fsmntcs-disable-rest-api-user-endpoints","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmntcs-disable-rest-api-user-endpoints.2.4.zip",92,{"slug":121,"name":122,"version":123,"author":124,"author_profile":125,"description":126,"short_description":127,"active_installs":128,"downloaded":129,"rating":11,"num_ratings":11,"last_updated":130,"tested_up_to":14,"requires_at_least":114,"requires_php":90,"tags":131,"homepage":16,"download_link":134,"security_score":25,"vuln_count":11,"unpatched_count":11,"last_vuln_date":26,"fetched_at":27},"babylovegrowth-integration","BabyLoveGrowth Integration","1.0.15","BabyLoveGrowth","https:\u002F\u002Fprofiles.wordpress.org\u002Fmeetcpatel8850\u002F","\u003Cp>BabyLoveGrowth Integration adds a secure REST API endpoint to your WordPress site so BabyLoveGrowth.ai can publish or update posts remotely. It uses an API key you control in WordPress settings, and supports featured images and HTML\u002FMarkdown content.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Improved Authorization\u003C\u002Fli>\n\u003Cli>Endpoints: \u003Ccode>GET \u002Fwp-json\u002Fbabylovegrowth\u002Fv1\u002Fping\u003C\u002Fcode>, \u003Ccode>POST \u002Fwp-json\u002Fbabylovegrowth\u002Fv1\u002Fpublish\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Accepts \u003Ccode>title\u003C\u002Fcode>, \u003Ccode>slug\u003C\u002Fcode>, \u003Ccode>content_html\u003C\u002Fcode> or \u003Ccode>content_markdown\u003C\u002Fcode>, optional \u003Ccode>metaDescription\u003C\u002Fcode>, \u003Ccode>heroImageUrl\u003C\u002Fcode>, \u003Ccode>status\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Sets\u002Fupdates posts by slug; supports \u003Ccode>publish\u003C\u002Fcode>, \u003Ccode>draft\u003C\u002Fcode>, \u003Ccode>pending\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n","Secure REST endpoint to publish posts from BabyLoveGrowth.ai backend via API key.",1000,3838,"2026-04-15T16:53:00.000Z",[20,132,51,133],"publishing","webhook","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbabylovegrowth-integration.1.0.15.zip",{"attackSurface":136,"codeSignals":148,"taintFlows":156,"riskAssessment":157,"analyzedAt":160},{"hooks":137,"ajaxHandlers":144,"restRoutes":145,"shortcodes":146,"cronEvents":147,"entryPointCount":11,"unprotectedCount":11},[138],{"type":139,"name":140,"callback":141,"file":142,"line":143},"action","template_redirect","closure","rest-api-only.php",17,[],[],[],[],{"dangerousFunctions":149,"sqlUsage":150,"outputEscaping":152,"fileOperations":11,"externalRequests":11,"nonceChecks":11,"capabilityChecks":11,"bundledLibraries":155},[],{"prepared":11,"raw":11,"locations":151},[],{"escaped":153,"rawEcho":11,"locations":154},1,[],[],[],{"summary":158,"deductions":159},"The \"rest-api-only\" plugin v1.0.2 exhibits an exceptionally strong security posture based on the provided static analysis. It demonstrates a commitment to secure coding practices by implementing prepared statements for all SQL queries and ensuring proper output escaping. The absence of any identified dangerous functions, file operations, external HTTP requests, or taint flows with unsanitized paths further reinforces its robustness.  The plugin also has a clean vulnerability history, with no known CVEs, suggesting a history of well-maintained and secure code.  This lack of known vulnerabilities and the absence of critical code signals point to a well-developed and secure plugin, particularly for its intended purpose of controlling REST API access. The total absence of entry points like AJAX handlers, REST API routes, shortcodes, and cron events, especially those lacking authentication, is a significant strength that minimizes the plugin's attack surface.  While the lack of explicit capability checks and nonce checks could be a concern in other plugin contexts, given the stated \"rest-api-only\" nature and zero entry points, these are unlikely to represent a significant risk in this specific scenario. The plugin's strengths lie in its minimal attack surface and adherence to secure coding principles, making it a highly secure option.",[],"2026-04-16T14:09:44.132Z",{"wat":162,"direct":167},{"assetPaths":163,"generatorPatterns":164,"scriptPaths":165,"versionParams":166},[],[],[],[],{"cssClasses":168,"htmlComments":169,"htmlAttributes":170,"restEndpoints":171,"jsGlobals":173,"shortcodeOutput":174},[],[],[],[172],"\u002Fwp-json",[],[],{"error":176,"url":177,"statusCode":178,"statusMessage":179,"message":179},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Frest-api-only\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":153,"versions":181},[182],{"version":6,"download_url":24,"svn_tag_url":183,"released_at":26,"has_diff":184,"diff_files_changed":185,"diff_lines":26,"trac_diff_url":26,"vulnerabilities":186,"is_current":176},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Frest-api-only\u002Ftags\u002F1.0.2\u002F",false,[],[]]