Title: REST API
Last modified: December 15, 2017

---

# REST API

 *  Resolved [bikecrazyy](https://wordpress.org/support/users/bikecrazyy/)
 * (@bikecrazyy)
 * [8 years, 5 months ago](https://wordpress.org/support/topic/rest-api-26/)
 * Please make the “Disable REST API” a setting you can turn on and off, updating
   the plugin broke our REST API because we have REST API’s that you don’t need 
   to be logged in to trigger, there are many other plugins like [Disable JSON API](https://wordpress.org/plugins/disable-json-api/)
   that will allow you to manage your REST API in the way you see fit.
 * Example:
    We force ever user to login with your plugin, but then we have a scrapper
   that gets triggered via the REST API that doesn’t give any information out but
   that runs a script.

Viewing 15 replies - 1 through 15 (of 22 total)

1 [2](https://wordpress.org/support/topic/rest-api-26/page/2/?output_format=md) 
[→](https://wordpress.org/support/topic/rest-api-26/page/2/?output_format=md)

 *  Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
 * (@kevinvess)
 * [8 years, 5 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9784494)
 * Hi– thanks for using Force Login!
 * If you need to disable the REST API restriction in Force Login, try adding the
   following code to your functions.php file:
 *     ```
       remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access' );
       ```
   
 *  Thread Starter [bikecrazyy](https://wordpress.org/support/users/bikecrazyy/)
 * (@bikecrazyy)
 * [8 years, 5 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9784499)
 * Just added it and it gives access to all API’s again. But adding that still prevents
   Disable JSON API to manage what API’s I want public and which ones I don’t. If
   I add that to my themes function.php everything is open and the other plugin 
   won’t let me lock it down..
 * Scratch that, it fixed it, The only issue is are you going to make this a option
   in the dev road map? Having this in the theme and it gets updated would wipe 
   out the change
    -  This reply was modified 8 years, 5 months ago by [bikecrazyy](https://wordpress.org/support/users/bikecrazyy/).
    -  This reply was modified 8 years, 5 months ago by [bikecrazyy](https://wordpress.org/support/users/bikecrazyy/).
 *  Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
 * (@kevinvess)
 * [8 years, 5 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9784520)
 * Great! I’m glad you got it working again.
 * If you’re concerned about losing custom changes to the theme, I recommend [using a Child Theme](https://codex.wordpress.org/Child_Themes)
   instead.
 * By using a child theme you will ensure that your modifications are preserved 
   when the parent theme gets updated.
 * Be sure to rate and review my plugin to let others know how you like it.
 * Thanks again!
 *  Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
 * (@kevinvess)
 * [8 years, 5 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9786964)
 * I thought I would inform you that I just released a new version of Force Login(
   v5.1.1), which improves the REST API restriction to allow alternative modes of
   authentication.
 * And as a result, it might allow you to use the [Disable JSON API](https://wordpress.org/plugins/disable-json-api/)
   plugin without needing to remove the `v_forcelogin_rest_access` filter as described
   above.
 * Thanks!
 *  [bryanrego](https://wordpress.org/support/users/bryanrego/)
 * (@bryanrego)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9907896)
 * Hi Kevin,
 * I tried adding remove_filter( ‘rest_authentication_errors’, ‘v_forcelogin_rest_access’);
   to my Divi child theme to allow access to the Gravity Forms JSON REST API and
   it didn’t work. Any other suggestions as to how i can enable access to this API?
 *  Thread Starter [bikecrazyy](https://wordpress.org/support/users/bikecrazyy/)
 * (@bikecrazyy)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9914995)
 * What ever update you did in v5.1.1 doesn’t seem to work… the plugin is still 
   blocking rest api even with the functions.php coded added
 *  Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
 * (@kevinvess)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9915078)
 * [@bryanrego](https://wordpress.org/support/users/bryanrego/)
 * My original suggestion was before the v5.1.1 update; Force Login now restricts
   the API at a later priority to defer authorization to any other API handling 
   plugin.
 * Try adding the following priority to the `remove_filter()` function:
 *     ```
       remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access', 99 );
       ```
   
 * I believe the `remove_filter()` function was not working for you because it was
   not running at the correct point.
 * Let me know if this solves your issue.
 *  Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
 * (@kevinvess)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9915117)
 * [@bikecrazyy](https://wordpress.org/support/users/bikecrazyy/)
 * As of v5.1.1, the `remove_filter()` function I suggested needs to run at a later
   priority in order to work. Try the new suggestion I just posted above.
 * Check out the following issue at GitHub for the full discussion about what changed
   in v5.1.1 and why:
 * [https://github.com/kevinvess/wp-force-login/issues/35](https://github.com/kevinvess/wp-force-login/issues/35)
 *  Thread Starter [bikecrazyy](https://wordpress.org/support/users/bikecrazyy/)
 * (@bikecrazyy)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9918776)
 * [@kevin](https://wordpress.org/support/users/kevin/) Sorry man, I can’t be dealing
   with this small silly issue for any longer and just copied your code and removed
   lines 56-68 in my own plugin. I really wish you would consider stop doing these**
   hacky** things such as editing your **functions.php** for your theme to make 
   your plugin work properly with other plugins using REST options. All you really
   need to do is make this a feature you can turn on and off. **Making any custom
   changes like your trying to have us do doesn’t follow best practices**.
 * [@bryanrego](https://wordpress.org/support/users/bryanrego/)
    I suggest you do
   the same do
    -  This reply was modified 8 years, 4 months ago by [bikecrazyy](https://wordpress.org/support/users/bikecrazyy/).
 *  Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
 * (@kevinvess)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9919196)
 * [@bikecrazyy](https://wordpress.org/support/users/bikecrazyy/)
 * Thanks for the feedback, but [plugins are by definition are a hack of core WordPress functionality](https://codex.wordpress.org/Plugins).
 * > The core of WordPress is designed to be lean and lightweight, to maximize flexibility
   > and minimize code bloat. Plugins then offer custom functions and features so
   > that each user can tailor their site to their specific needs.
 * Furthermore, WordPress [best practice encourages custom functionality to be applied via your theme’s functions.php or a plugin](https://developer.wordpress.org/themes/basics/theme-functions/).
 * > The functions.php file behaves like a WordPress plugin, adding features and
   > functionality to a WordPress site. You can use it to call WordPress functions
   > and to define your own functions.
 * Force Login was built specifically to be lean and lightweight, with only one 
   purpose– to force unauthorized visitors to login or authenticate before gaining
   access to the website.
 * This plugin was built with developers in mind by excluding an admin panel with
   options and all the extra code/database bloat that comes with that. Instead, 
   it offers hooks to allow developers to alter the default plugin functionality
   to suit their needs via their theme’s functions.php file.
 * I’m sorry your other plugins using the REST API do not follow best practices 
   and properly authenticate themselves. If they had, Force Login would not have
   interfered because it checks for authentication before blocking access to the
   API.
 * An example of how a plugin could authenticate itself can be seen in the following
   WordPress core implementation:
    [https://github.com/WordPress/WordPress/blob/587da39a9e0eaea37e5f45323be0ede19d72f974/wp-includes/rest-api.php#L733-L791](https://github.com/WordPress/WordPress/blob/587da39a9e0eaea37e5f45323be0ede19d72f974/wp-includes/rest-api.php#L733-L791)
 * Might I suggest you ask the other plugin creators to authenticate their API calls
   to the WordPress REST API? This would be consistent with core handling and possibly
   mitigate any potential future conflicts with others.
 * Thanks for using Force Login!
 *  Thread Starter [bikecrazyy](https://wordpress.org/support/users/bikecrazyy/)
 * (@bikecrazyy)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9919253)
 * Okay bud I really don’t have time to waste on reading your response since it’s
   filled with a bunch of garage that your using to make a point. Plugins are and
   extension of WordPress not necessarily a hack, if you start telling people to
   edit there functions.php then when an update comes around for the theme… oh everything
   is gone. Your response to that is oh well make a child theme. aka **HACK**. If
   you extend the ability of the WordPress, by giving the user the ability to turn
   it on/off then there wouldn’t be a problem. I wonder if you lack the time or 
   knowledge to do this. You causes this issue by and update so really the true 
   issue was caused by your code/extension you made to the plugin after the fact.
   Working just fine before you decided to change the functionally of your plugin.
 * > I’m sorry your other plugins using the REST API do not follow best practices
   > and properly authenticate themselves. If they had, Force Login would not interfere
   > because it checks for authentication before blocking access to the API.
 * Who are you say that other plugins don’t follow best practices lol. Have you 
   reviewed the code of all REST API plugins. I won’t be responding to you anymore
   due to the fact that I’ll be turning off notifications/follow up’s to this thread
   so I don’t get email alerts of this silly issue that your update caused.
 *  Moderator [Marius L. J.](https://wordpress.org/support/users/clorith/)
 * (@clorith)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9919475)
 * Hiya [@bikecrazyy](https://wordpress.org/support/users/bikecrazyy/) and [@kevinvess](https://wordpress.org/support/users/kevinvess/),
 * So it looks like everyone’s a little bit right here 🙂
 * A child theme isn’t a hack, it’s the recommended approach if you wish to make
   custom changes or additions to a theme while avoiding losing those changes with
   the next WordPress update.
 * A plugin also works just as well in this case, preferably as a Must-Use plugin
   if it’s required functionality.
 * Both approaches are functional, valid, and perfectly fine, use whichever one 
   you as a user are comfortable with.
 * —
 * I will, however, issue you a warning [@bikecrazyy](https://wordpress.org/support/users/bikecrazyy/).
   Your replies are becoming gradually more riled up it seems. Please take a moments
   break, have a cup of your beverage of preference and watch the rain (that’s my
   approach to stressful days at least 🙂 ).
 *  [bryanrego](https://wordpress.org/support/users/bryanrego/)
 * (@bryanrego)
 * [8 years, 4 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9920470)
 * Thanks [@kevinvess](https://wordpress.org/support/users/kevinvess/), that worked.
   I agree [@clorith](https://wordpress.org/support/users/clorith/) that a child
   theme is not a hack, it’s actually a best practice.
 *  [bryanrego](https://wordpress.org/support/users/bryanrego/)
 * (@bryanrego)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9967964)
 * [@kevinvess](https://wordpress.org/support/users/kevinvess/) i am having trouble
   bypassing the gravityformsapi from a child site on a multisite install with force
   login active.
 * Whats weird is i can reach the gravityformapi from a child site to my main site
   but not vs versa (from main site to child site). i also tried your adding your
   suggestion with no luck –
 * `remove_filter( 'rest_authentication_errors', 'v_forcelogin_rest_access', 99 );`
 * On main site (/) and the child site (/site2) i have the following in my functions.
   php as they both have there own child theme –
 *     ```
       function my_forcelogin_whitelist( $whitelist ) {
         // Filter specific pages
           $whitelist[] = site_url( '/' );
         // Get visited URL without query string
         $url_path = preg_replace('/\?.*/', '', $_SERVER['REQUEST_URI']);
         // whitelist any page URL within the specified directory and certain pages
         if ( in_array('gravityformsapi', explode('/', $url_path)) ) {
           $whitelist[] = site_url($_SERVER['REQUEST_URI']);
         }
         return $whitelist;
       }
       add_filter('v_forcelogin_whitelist', 'my_forcelogin_whitelist', 10, 1);
       ```
   
 *  Plugin Author [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
 * (@kevinvess)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/rest-api-26/#post-9980422)
 * [@bryanrego](https://wordpress.org/support/users/bryanrego/) I may not be able
   to troubleshoot this, but I’m fairly certain the whitelist filter is not necessary.
   I suspect the issue is only related to the `v_forcelogin_rest_access` API filter.
 * Could you share what your code for the gravityformapi is?
 * Gravity Forms has documentation on their Web API and a section about Authentication:
   
   [https://docs.gravityforms.com/web-api/#authentication](https://docs.gravityforms.com/web-api/#authentication)
 * I know you’re using a multisite install to communicate between the child and 
   main sites– but maybe you need to authenticate your requests using their [authentication for external applications method](https://docs.gravityforms.com/web-api/#authentication-for-external-applications)?
 * I hope that helps and good luck!

Viewing 15 replies - 1 through 15 (of 22 total)

1 [2](https://wordpress.org/support/topic/rest-api-26/page/2/?output_format=md) 
[→](https://wordpress.org/support/topic/rest-api-26/page/2/?output_format=md)

The topic ‘REST API’ is closed to new replies.

 * ![](https://ps.w.org/wp-force-login/assets/icon.svg?rev=1904031)
 * [Force Login](https://wordpress.org/plugins/wp-force-login/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-force-login/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-force-login/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-force-login/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-force-login/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-force-login/reviews/)

 * 22 replies
 * 6 participants
 * Last reply from: [Kevin Vess](https://wordpress.org/support/users/kevinvess/)
 * Last activity: [8 years, 3 months ago](https://wordpress.org/support/topic/rest-api-26/page/2/#post-10003007)
 * Status: resolved