Title: REST API_iThemes setting Last modified: March 20, 2023 --- # REST API_iThemes setting * Resolved [jaquezv](https://wordpress.org/support/users/jaquezv/) * (@jaquezv) * [3 years, 2 months ago](https://wordpress.org/support/topic/rest-api_ithemes-setting/) * Currently going through website and I have several links that are giving me 401 Unauthorized. When I click on the bad link I get the following message: {“code”:” itsec_rest_api_access_restricted”,”message”:”You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.”,”data”:{status”:401}} * How does this setting get updated/corrected to fix these errors within my site? Is there a plugin that I need to add/run in WP for this? My domain has not changed so Velvet Blue would not work. * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Frest-api_ithemes-setting%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 5 replies - 1 through 5 (of 5 total) * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [3 years, 2 months ago](https://wordpress.org/support/topic/rest-api_ithemes-setting/#post-16578918) * Hi [@jaquezv](https://wordpress.org/support/users/jaquezv/), thanks for reaching out! Can you please try setting the **REST API** option to “Default Access” in the _Security > Settings > Advanced > WordPress Tweaks_ and see if it resolves the 401 error? I hope this helps! * Thread Starter [jaquezv](https://wordpress.org/support/users/jaquezv/) * (@jaquezv) * [3 years, 2 months ago](https://wordpress.org/support/topic/rest-api_ithemes-setting/#post-16580150) * The default setting states that it could give public access to information that we believe is private on the site; could you expand on this and/or give an example? * [nlpro](https://wordpress.org/support/users/nlpro/) * (@nlpro) * [3 years, 2 months ago](https://wordpress.org/support/topic/rest-api_ithemes-setting/#post-16580521) * Hi [@jaquezv](https://wordpress.org/support/users/jaquezv/), * A good example is the `List Users` endpoint: * [https://www.example.com/wp-json/wp/v2/users](https://www.example.com/wp-json/wp/v2/users) * It can be used to retrieve a collection of users. By default this endpoint is publicly accessible. Very popular amongst brute force attackers … * +++++ To prevent any confusion, I’m not iThemes +++++ * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [3 years, 2 months ago](https://wordpress.org/support/topic/rest-api_ithemes-setting/#post-16583149) * [@jaquezv](https://wordpress.org/support/users/jaquezv/), WordPress REST API allows other applications (mobile apps/websites) to interact with WP sites by sending and receiving data in JSON format. The application can then use this data to display or manipulate content on the site. * Per the official WP REST API [documentation](https://developer.wordpress.org/rest-api/): * > The REST API is a developer-oriented feature of WordPress. It provides data > access to the content of your site, and implements the same authentication > restrictions — content that is public on your site is generally publicly accessible > via the REST API, while private content, password-protected content, internal > users, custom post types, and metadata is only available with authentication > or if you specifically set it to be so. * To add to nlpro’s example, the route `wp-json/wp/v2/posts` returns a list of posts (GET endpoint) and can accept an authenticated request to create posts ( POST endpoint). You can view the available REST API endpoints [here](https://developer.wordpress.org/rest-api/reference/#rest-api-developer-endpoint-reference). As brute-force attackers can use some publicly available endpoints, iTSec has a setting to Restrict Access to most REST API data. This will require a logged- in user for most requests and help block public requests to potentially private data. However, some third-party plugins/services require default access to the WP REST API to work, which could be what’s happening on your site. In this case, we recommend changing the setting to Default Access.I hope this helps! * Plugin Support [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * (@shanedelierrr) * [3 years, 2 months ago](https://wordpress.org/support/topic/rest-api_ithemes-setting/#post-16601040) * Hi, I hope the information provided helped. Since we haven’t received a response, I’ll mark this post resolved. If you still need some assistance, feel free to open a new support topic, and we’d be happy to assist. Thank you! Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘REST API_iThemes setting’ is closed to new replies. * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351) * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/) * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/) * 5 replies * 5 participants * Last reply from: [chandelierrr](https://wordpress.org/support/users/shanedelierrr/) * Last activity: [3 years, 2 months ago](https://wordpress.org/support/topic/rest-api_ithemes-setting/#post-16601040) * Status: resolved