PHPackages                             alleyinteractive/wp-rest-api-guard - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. alleyinteractive/wp-rest-api-guard

ActiveWordpress-plugin[Authentication &amp; Authorization](/categories/authentication)

alleyinteractive/wp-rest-api-guard
==================================

Restrict and control access to the REST API

v1.4.1(9mo ago)144.3k1[1 issues](https://github.com/alleyinteractive/wp-rest-api-guard/issues)[2 PRs](https://github.com/alleyinteractive/wp-rest-api-guard/pulls)GPL-2.0-or-laterPHPPHP ^8.1CI passing

Since Oct 20Pushed 6mo ago22 watchersCompare

[ Source](https://github.com/alleyinteractive/wp-rest-api-guard)[ Packagist](https://packagist.org/packages/alleyinteractive/wp-rest-api-guard)[ Docs](https://github.com/alleyinteractive/wp-rest-api-guard)[ RSS](/packages/alleyinteractive-wp-rest-api-guard/feed)WikiDiscussions develop Synced today

READMEChangelog (10)Dependencies (3)Versions (18)Used By (0)

REST API Guard
==============

[](#rest-api-guard)

Stable tag: 1.4.1

Requires at least: 6.5

Tested up to: 6.8

Requires PHP: 8.0

License: GPL v2 or later

Tags: alleyinteractive, rest-api-guard

Contributors: sean212

[![All Pull Request Tests](https://github.com/alleyinteractive/wp-rest-api-guard/actions/workflows/all-pr-tests.yml/badge.svg?branch=develop)](https://github.com/alleyinteractive/wp-rest-api-guard/actions/workflows/all-pr-tests.yml)

Restrict and control access to the REST API.

Installation
------------

[](#installation)

You can install the package via composer:

```
composer require alleyinteractive/wp-rest-api-guard
```

Usage
-----

[](#usage)

The WordPress REST API is generally very public and can share a good deal of information with the internet anonymously. This plugin aims to make it easier to restrict access to the REST API for your WordPress site.

Out of the box the plugin can:

- Disable anonymous access to the REST API.
- Restrict and control anonymous access to the REST API by namespace, path, etc.

### Settings Page

[](#settings-page)

The plugin can be configured via the Settings page (`Settings -> REST API Guard`) or via the relevant filter.

[![Screenshot of plugin settings screen](https://user-images.githubusercontent.com/346399/194411352-aa05e939-3fd1-4e37-a3d5-276c1c5c288f.png)](https://user-images.githubusercontent.com/346399/194411352-aa05e939-3fd1-4e37-a3d5-276c1c5c288f.png)

### Preventing Access to User Information (`wp/v2/users`)

[](#preventing-access-to-user-information-wpv2users)

By default, the plugin will restrict anonymous access to the users endpoint. This can be prevented in the plugin's settings or via code:

```
add_filter( 'rest_api_guard_allow_user_access', fn () => true );
```

### Preventing Access to Index (`/`) or Namespace Endpoints (`wp/v2`)

[](#preventing-access-to-index--or-namespace-endpoints-wpv2)

To prevent anonymous users from browsing your site and discovering what plugins/post types are set up, the plugin restricts access to the index (`/`) and namespace (`wp/v2`) endpoints. This can be prevented in the plugin's settings or via code:

```
// Allow index access.
add_filter( 'rest_api_guard_allow_index_access', fn () => true );

// Allow namespace access.
add_filter( 'rest_api_guard_allow_namespace_access', fn ( string $namespace ) => true );
```

### Restrict Anonymous Access to the REST API

[](#restrict-anonymous-access-to-the-rest-api)

The plugin can restrict anonymous access for any request to the REST API in the plugin's settings or via code:

```
add_filter( 'rest_api_guard_prevent_anonymous_access', fn () => true );
```

### Limit Anonymous Access to Specific Namespaces/Routes (Allowlist)

[](#limit-anonymous-access-to-specific-namespacesroutes-allowlist)

Anonymous users can be granted access only to specific namespaces/routes. Requests outside of these paths will be denied. This can be configured in the plugin's settings or via code:

```
add_filter(
	'rest_api_guard_anonymous_requests_allowlist',
	function ( array $paths, WP_REST_Request $request ): array {
		// Allow other paths not included here will be denied.
		$paths[] = 'wp/v2/post';
		$paths[] = 'custom-namespace/v1/public/*';

		return $paths;
	},
	10,
	2
);
```

### Restrict Anonymous Access to Specific Namespaces/Routes (Denylist)

[](#restrict-anonymous-access-to-specific-namespacesroutes-denylist)

Anonymous users can be restricted from specific namespaces/routes. This acts as a denylist for specific paths that an anonymous user cannot access. The paths support regular expressions for matching. The use of the [Allowlist](#limit-anonymous-access-to-specific-namespacesroutes-allowlist)takes priority over this denylist. This can be configured in the plugin's settings or via code:

```
add_filter(
	'rest_api_guard_anonymous_requests_denylist',
	function ( array $paths, WP_REST_Request $request ): array {
		$paths[] = 'wp/v2/user';
		$paths[] = 'custom-namespace/v1/private/*';

		return $paths;
	},
	10,
	2
);
```

### Require JSON Web Token (JWT) Authentication for Anonymous Users

[](#require-json-web-token-jwt-authentication-for-anonymous-users)

Anonymous users can be required to authenticate via a JSON Web Token (JWT) to access the REST API. Users should pass an `Authorization: Bearer ` header with their request. This can be configured in the plugin's settings or via code:

```
add_filter( 'rest_api_guard_authentication_jwt', fn () => true );
```

Out of the box, the plugin will look for a JWT in the `Authorization: Bearer ` header. The JWT will be expected to have an audience of 'wordpress-rest-api' and issuer of the site's URL. This can be configured in the plugin's settings or via code:

```
add_filter( 'rest_api_guard_jwt_audience', fn ( string $audience ) => 'custom-audience' );

add_filter( 'rest_api_guard_jwt_issuer', fn ( string $issuer ) => 'https://example.com' );
```

The JWT's secret will be autogenerated and stored in the `rest_api_guard_jwt_secret` option. The secret can also be filtered via code:

```
add_filter( 'rest_api_guard_jwt_secret', fn ( string $secret ) => 'my-custom-secret' );
```

### Allow JWT Authentication for Authenticated Users

[](#allow-jwt-authentication-for-authenticated-users)

Authenticated users can be authenticated with the REST API via a JSON Web Token. Similar to the anonymous JWT authentication, users should pass an `Authorization: Bearer ` header with their request. This can be configured in the plugin's settings or via code:

```
add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );
```

### Generating JWTs for Anonymous and Authenticated Users

[](#generating-jwts-for-anonymous-and-authenticated-users)

JWTs can be generated by calling the `wp rest-api-guard generate-jwt [--user=]`command or using the `Alley\WP\REST_API_Guard\generate_jwt()` method:

```
$jwt = \Alley\WP\REST_API_Guard\generate_jwt(
	expiration: 3600, // Optional. The expiration time in seconds from now.
	user: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.
);
```

Testing
-------

[](#testing)

Run `composer test` to run tests against PHPUnit and the PHP code in the plugin.

Changelog
---------

[](#changelog)

Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently.

Credits
-------

[](#credits)

This project is actively maintained by [Alley Interactive](https://github.com/alleyinteractive). Like what you see? [Come work with us](https://alley.co/careers/).

[![Alley logo](https://avatars.githubusercontent.com/u/1733454?s=200&v=4)](https://avatars.githubusercontent.com/u/1733454?s=200&v=4)

- [Sean Fisher](https://github.com/srtfisher)
- [All Contributors](../../contributors)

License
-------

[](#license)

The GNU General Public License (GPL) license. Please see [License File](LICENSE) for more information.

###  Health Score

46

—

FairBetter than 92% of packages

Maintenance61

Regular maintenance activity

Popularity29

Limited adoption so far

Community17

Small or concentrated contributor base

Maturity64

Established project with proven stability

 Bus Factor1

Top contributor holds 86.9% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~81 days

Recently: every ~140 days

Total

14

Last Release

298d ago

PHP version history (3 changes)v1.0.0PHP ^7.4|^8.0

v1.1.0PHP ^8.0

v1.4.0PHP ^8.1

### Community

Maintainers

![](https://www.gravatar.com/avatar/338d27065b1074f2d66d049d742f22996dd137eef6f91bc8f75350ceee1e8ef2?d=identicon)[srtfisher](/maintainers/srtfisher)

---

Top Contributors

[![srtfisher](https://avatars.githubusercontent.com/u/346399?v=4)](https://github.com/srtfisher "srtfisher (93 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (6 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (5 commits)")[![Copilot](https://avatars.githubusercontent.com/in/1143301?v=4)](https://github.com/Copilot "Copilot (3 commits)")

---

Tags

rest-apiwordpresswordpress-pluginwordpresswordpress pluginalleyinteractiverest-api-guard

### Embed Badge

![Health badge](/badges/alleyinteractive-wp-rest-api-guard/health.svg)

```
[![Health](https://phpackages.com/badges/alleyinteractive-wp-rest-api-guard/health.svg)](https://phpackages.com/packages/alleyinteractive-wp-rest-api-guard)
```

###  Alternatives

[google/auth

Google Auth Library for PHP

1.4k294.2M220](/packages/google-auth)[ellaisys/aws-cognito

Laravel Authentication using AWS Cognito (Web and API)

123256.9k1](/packages/ellaisys-aws-cognito)[daggerhart/openid-connect-generic

OpenID Connect generic WordPress plugin.

31182.9k1](/packages/daggerhart-openid-connect-generic)[rainlab/user-plugin

User plugin for October CMS

11955.0k15](/packages/rainlab-user-plugin)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
