PHPackages                             kevorteg/wp-api-protection - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. kevorteg/wp-api-protection

ActiveWordpress-plugin[Security](/categories/security)

kevorteg/wp-api-protection
==========================

Security Suite for WordPress REST API (Anti-Reconnaissance &amp; Hardening).

v3.0.0(2mo ago)10GPL-2.0-or-laterPHPPHP &gt;=7.4CI passing

Since Jan 20Pushed 2mo agoCompare

[ Source](https://github.com/kevorteg/wp-api-protection)[ Packagist](https://packagist.org/packages/kevorteg/wp-api-protection)[ RSS](/packages/kevorteg-wp-api-protection/feed)WikiDiscussions main Synced today

READMEChangelog (1)Dependencies (2)Versions (3)Used By (0)

REST API Protection
===================

[](#rest-api-protection)

[![Version](https://camo.githubusercontent.com/9d58a03ee427d3b63b279f6b62e36581d89c78336738d5b413ae5195243a6618/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f76657273696f6e2d332e302e302d626c75652e7376673f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/9d58a03ee427d3b63b279f6b62e36581d89c78336738d5b413ae5195243a6618/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f76657273696f6e2d332e302e302d626c75652e7376673f7374796c653d666c61742d737175617265)[![WordPress](https://camo.githubusercontent.com/12347b37e786c22a49a57f90f62e1a2d91276675d1ec9172fda7c0bb220614e6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576f726450726573732d362e302b2d3231373539622e7376673f7374796c653d666c61742d737175617265266c6f676f3d776f72647072657373266c6f676f436f6c6f723d7768697465)](https://camo.githubusercontent.com/12347b37e786c22a49a57f90f62e1a2d91276675d1ec9172fda7c0bb220614e6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576f726450726573732d362e302b2d3231373539622e7376673f7374796c653d666c61742d737175617265266c6f676f3d776f72647072657373266c6f676f436f6c6f723d7768697465)[![License](https://camo.githubusercontent.com/1d3abdee350232659edf78a70f97a33e218c14391a017f3977d101524a34ffe6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d47504c76322d2d6f722d2d6c617465722d677265656e2e7376673f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/1d3abdee350232659edf78a70f97a33e218c14391a017f3977d101524a34ffe6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d47504c76322d2d6f722d2d6c617465722d677265656e2e7376673f7374796c653d666c61742d737175617265)

**REST API Protection** is a professional, multi-layered cybersecurity suite designed specifically to defend WordPress REST API endpoints against scraping, automated exploitation, injection attacks, and unauthorized access.

---

Architecture and Features
-------------------------

[](#architecture-and-features)

### Layer 1: Firewall and Access Control

[](#layer-1-firewall-and-access-control)

- **Hard Block Status:** (Optional) Deny all REST API traffic by default except for authenticated Administrators and Whitelisted IP addresses.
- **IP Blacklisting:** Permanently ban known malicious actors. Blacklist rules execute with priority zero before any other logic.
- **IP Whitelisting:** Bypass all security rules and rate limits for trusted endpoints (e.g., origin servers, development teams, integrations).
- **Geo-Blocking:** Deny traffic originating from configurable ISO 3166-1 alpha-2 country codes. Lookups are locally cached to maximize performance.
- **Namespace Blocking:** Hide specific REST namespaces or routes (e.g., `/wp/v2/users` or `/wc/v3`) from public discovery, mitigating data leakage and user enumeration.
- **Proxy-Aware Resolution:** Ensure accurate threat detection when running behind Cloudflare, Nginx proxies, or load balancers, defeating X-Forwarded-For spoofing.

### Layer 2: Behavioral Defense

[](#layer-2-behavioral-defense)

- **Rate Limiting:** Granular, sliding-window rate tracking. Automatically temporarily ban IP addresses that exceed request thresholds.
- **Security Headers:** Automatically injects strict HTTP response headers into all REST communications (`X-Content-Type-Options: nosniff`, `X-Frame-Options: SAMEORIGIN`, `X-XSS-Protection`, etc.).
- **Troll Mode:** (Optional) Replaces standard JSON 403 blocks with obfuscated terminal-like browser responses and CLI decoys to frustrate automated scanners and waste threat actor resources.

### Layer 3: Auditing and Monitoring

[](#layer-3-auditing-and-monitoring)

- **Intrusion Dashboards:** Visual metrics on blocked interactions, rate limit violations, and security events.
- **Detailed Forensic Logs:** Track IP, Request Type (Block, Rate, Geo, NS), Request URL, and User-Agent.
- **Data Export:** Secure, nonce-protected CSV export for external Security Information and Event Management (SIEM) ingestion.

---

Installation
------------

[](#installation)

### Option 1: Composer (Recommended)

[](#option-1-composer-recommended)

```
composer require kevorteg/wp-api-protection
```

### Option 2: Manual

[](#option-2-manual)

1. Download the latest release (`wp-api-protection.zip`).
2. Upload the uncompressed directory to `/wp-content/plugins/wp-api-protection/`.
3. Activate the plugin through the WordPress Administration interface.
4. Navigate to **API Protection** in the main sidebar to configure firewall policies.

---

Operations Guide
----------------

[](#operations-guide)

ComponentDefaultConfiguration Context**Hard Block Mode**EnabledDisable if Public REST access is required for unauthenticated operations.**Security Headers**EnabledRecommended to leave enabled for baseline security.**Rate Limiter**30 requests / 60sAdjust based on normal web application consumption.**Block Duration**3600 secondsPenalty duration for rate limit violations.**Alert Threshold**20 triggers / 5 minThreshold for alerting the site administrator via email.---

Contributing
------------

[](#contributing)

This project is released open source under the GPLv2 (or later) license. Security patches, pull requests, and vulnerability disclosures are welcome via GitHub.

**Authors:** Kevin Ortega

###  Health Score

34

—

LowBetter than 75% of packages

Maintenance85

Actively maintained with recent releases

Popularity2

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity36

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~85 days

Total

2

Last Release

78d ago

Major Versions

v2.1.0 → v3.0.02026-04-15

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/194306887?v=4)[Kevin ortega](/maintainers/kevorteg)[@kevorteg](https://github.com/kevorteg)

---

Top Contributors

[![kevorteg](https://avatars.githubusercontent.com/u/194306887?v=4)](https://github.com/kevorteg "kevorteg (31 commits)")

---

Tags

api-restfreehardeningopen-sourcephp8pluginrest-apisecuritywordpress-pluginwordpresssecurityREST APIfirewallhardening

### Embed Badge

![Health badge](/badges/kevorteg-wp-api-protection/health.svg)

```
[![Health](https://phpackages.com/badges/kevorteg-wp-api-protection/health.svg)](https://phpackages.com/packages/kevorteg-wp-api-protection)
```

###  Alternatives

[helsingborg-stad/municipio

A bootstrap theme for creating municipality sites.

4028.5k10](/packages/helsingborg-stad-municipio)[brain/nonces

OOP package for WordPress to deal with nonces.

25237.0k1](/packages/brain-nonces)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
