Description
API Write Blocker is a security-focused plugin that prevents unauthorized or anonymous users from executing write operations through REST API, XML-RPC, and Admin-Ajax interfaces.
Unlike generic API blockers, this plugin enables fine-grained control over which HTTP methods (POST, PUT/PATCH, DELETE) are allowed, supports whitelist-based exceptions, and protects core endpoints without interfering with legitimate functionalities such as contact form submissions or plugin integrations.
🔐 Key Features
REST API Method-Level Blocking
* Independently block POST, PUT/PATCH, and DELETE requests.
* Whitelist specific REST routes (prefix match supported) to allow legitimate access (e.g., contact forms).
* Configure a custom HTTP status code and error message per request type.
XML-RPC Write Operation Blocking
* Disable only dangerous write-related XML-RPC methods (e.g., wp.newPost, metaWeblog.editPost) while keeping harmless calls untouched.
* Return a custom status code and error message for blocked XML-RPC operations.
Admin-Ajax Write Protection
* Blocks known sensitive write-related Ajax actions (e.g., save-post, upload-attachment) for unauthenticated users.
* Whitelist specific actions used by safe plugins like Contact Form 7.
Flexible Exceptions
* Authenticated users are always allowed by default.
* IP Whitelist support (including CIDR ranges) for external systems or trusted clients.
Custom Response Messages
* Return custom error messages and HTTP status codes for each interface: REST, XML-RPC, and Admin-Ajax.
This plugin is ideal for hardening your WordPress site without breaking functionality.
Screenshots
Settings UI under “Settings” > “API/Write Restriction”. 
REST API write method controls and whitelist management. 
IP whitelist and Ajax action whitelist settings.
Installation
- Download the ZIP file and install it from “Plugins” > “Add New” > “Upload Plugin”.
- OR, unzip the plugin and upload it to the
/wp-content/plugins/directory. - Activate “API Write Blocker” from “Plugins” in the admin panel.
- Go to “Settings” > “API/Write Restriction” to configure the plugin.
FAQ
-
Will this plugin block Contact Form 7 or similar plugins?
-
No, as long as you whitelist the required routes (e.g.,
contact-form-7/v1/contact-forms) and Ajax actions (e.g.,wpcf7-submit). The plugin is designed to safely allow necessary requests. -
Is it safe to disable write methods in the REST API?
-
Yes. Many sites do not use REST-based write operations publicly. By default, WordPress allows unauthenticated POST, PUT, and DELETE calls which may be exploited by attackers. This plugin disables them unless explicitly allowed.
-
Can I block XML-RPC write methods without disabling XML-RPC entirely?
-
Yes. This plugin blocks only post-related XML-RPC methods and lets other functions like pingbacks or basic metaWeblog info pass, if desired.
-
What happens to authenticated users?
-
Authenticated (logged-in) users are always allowed to execute requests. This plugin mainly protects against unauthorized, anonymous, or non-whitelisted users.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“API Write Blocker” is open source software. The following people have contributed to this plugin.
Contributors
Translate “API Write Blocker” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0
- Initial release.
- REST API write method blocking (POST, PUT/PATCH, DELETE).
- XML-RPC method-level write blocking.
- Admin-Ajax write action blocking with whitelist.
- IP and route/action whitelists.
- Custom status code and message per interface.