Initial release. No upgrade concerns.<\/p>"},"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3384887,"resolution":"1","location":"assets","locale":"","width":1614,"height":697},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3384887,"resolution":"2","location":"assets","locale":"","width":1615,"height":766},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3384887,"resolution":"3","location":"assets","locale":"","width":1609,"height":756}},"screenshots":{"1":"Settings UI under \"Settings\" > \"API\/Write Restriction\".","2":"REST API write method controls and whitelist management.","3":"IP whitelist and Ajax action whitelist settings.","4":"Custom error message configuration screen."}},"plugin_section":[],"plugin_tags":[],"plugin_category":[],"plugin_contributors":[249109],"plugin_business_model":[],"class_list":["post-257436","plugin","type-plugin","status-publish","hentry","plugin_contributors-teamredfox","plugin_committers-teamredfox"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/api-write-blocker.svg","icon_2x":false,"generated":true},"screenshots":[{"src":"https:\/\/ps.w.org\/api-write-blocker\/assets\/screenshot-1.png?rev=3384887","caption":"Settings UI under \"Settings\" > \"API\/Write Restriction\"."},{"src":"https:\/\/ps.w.org\/api-write-blocker\/assets\/screenshot-2.png?rev=3384887","caption":"REST API write method controls and whitelist management."},{"src":"https:\/\/ps.w.org\/api-write-blocker\/assets\/screenshot-3.png?rev=3384887","caption":"IP whitelist and Ajax action whitelist settings."}],"raw_content":"\n
API Write Blocker<\/strong> is a security-focused plugin that prevents unauthorized or anonymous users from executing write operations through REST API, XML-RPC, and Admin-Ajax interfaces.<\/p>\n\n Unlike generic API blockers, this plugin enables fine-grained control<\/em> over which HTTP methods (POST, PUT\/PATCH, DELETE) are allowed, supports whitelist-based exceptions, and protects core endpoints without interfering with legitimate functionalities such as contact form submissions or plugin integrations.<\/p>\n\n REST API Method-Level Blocking<\/strong>\n* Independently block POST, PUT\/PATCH, and DELETE requests.\n* Whitelist specific REST routes (prefix match supported) to allow legitimate access (e.g., contact forms).\n* Configure a custom HTTP status code and error message per request type.<\/p>\n\n XML-RPC Write Operation Blocking<\/strong>\n* Disable only dangerous write-related XML-RPC methods (e.g., Admin-Ajax Write Protection<\/strong>\n* Blocks known sensitive write-related Ajax actions (e.g., Flexible Exceptions<\/strong>\n* Authenticated users are always allowed by default.\n* IP Whitelist support (including CIDR ranges) for external systems or trusted clients.<\/p>\n\n Custom Response Messages<\/strong>\n* Return custom error messages and HTTP status codes for each interface: REST, XML-RPC, and Admin-Ajax.<\/p>\n\n This plugin is ideal for hardening your WordPress site without breaking functionality.<\/p>\n\n\n No, as long as you whitelist the required routes (e.g., Yes. Many sites do not use REST-based write operations publicly. By default, WordPress allows unauthenticated POST, PUT, and DELETE calls which may be exploited by attackers. This plugin disables them unless explicitly allowed.<\/p><\/dd>\n Yes. This plugin blocks only post-related XML-RPC methods and lets other functions like pingbacks or basic metaWeblog info pass, if desired.<\/p><\/dd>\n Authenticated (logged-in) users are always allowed to execute requests. This plugin mainly protects against unauthorized, anonymous, or non-whitelisted users.<\/p><\/dd>\n\n<\/dl>\n\n\n\ud83d\udd10 Key Features<\/h3>\n\n
wp.newPost<\/code>, metaWeblog.editPost<\/code>) while keeping harmless calls untouched.\n* Return a custom status code and error message for blocked XML-RPC operations.<\/p>\n\nsave-post<\/code>, upload-attachment<\/code>) for unauthenticated users.\n* Whitelist specific actions used by safe plugins like Contact Form 7.<\/p>\n\n\n
\/wp-content\/plugins\/<\/code> directory.<\/li>\n\n
Will this plugin block Contact Form 7 or similar plugins?<\/h3><\/dt>\n
contact-form-7\/v1\/contact-forms<\/code>) and Ajax actions (e.g., wpcf7-submit<\/code>). The plugin is designed to safely allow necessary requests.<\/p><\/dd>\nIs it safe to disable write methods in the REST API?<\/h3><\/dt>\n
Can I block XML-RPC write methods without disabling XML-RPC entirely?<\/h3><\/dt>\n
What happens to authenticated users?<\/h3><\/dt>\n
1.0<\/h4>\n\n
\n