Last active
June 20, 2023 03:46
-
-
Save ccurtin/8982d51b6cafa5864fe25884b1fe5a25 to your computer and use it in GitHub Desktop.
DISMISS PUBLIC ACCESS to WordPress REST API; ONLY ALLOW API ACCESS VIA SAME DOMAIN. ALLOW ADMIN ACCESS FOR ALL THOUGH.... for dynamic IPs... *Ideally*, the Server should be making the requests to the API, not the Client/User. That way, all API access is invalid except from the server. Use CORS and this snippet to block all WP access though.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # - DISMISS PUBLIC ACCESS; ONLY ALLOW API ACCESS VIA OWN DOMAIN | |
| # - ALLOW ADMIN ACESS FOR ALL | |
| # | |
| # This example is in the "public_html/api/" folder where | |
| # the WP API is installed. | |
| # | |
| RewriteEngine On | |
| # If the referer is not its own domain | |
| RewriteCond %{HTTP_REFERER} !^http?://architectura.com [NC] | |
| # Then make it forbidden if not an admin login th | |
| RewriteRule !^(wp-admin|wp-login\.php) - [F,L,NC] | |
| # Below would block access to ALL directories within "/api", including WP Login pages. | |
| # RewriteRule ^ - [L,F] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment