Title: API Write Blocker Author: teamredfox Published: October 26, 2025 Last modified: October 26, 2025 --- Search plugins ![](https://s.w.org/plugins/geopattern-icon/api-write-blocker.svg) # API Write Blocker By [teamredfox](https://profiles.wordpress.org/teamredfox/) [Download](https://downloads.wordpress.org/plugin/api-write-blocker.1.0.zip) * [Details](https://wordpress.org/plugins/api-write-blocker/#description) * [Reviews](https://wordpress.org/plugins/api-write-blocker/#reviews) * [Installation](https://wordpress.org/plugins/api-write-blocker/#installation) * [Development](https://wordpress.org/plugins/api-write-blocker/#developers) [Support](https://wordpress.org/support/plugin/api-write-blocker/) ## Description **API Write Blocker** is a security-focused plugin that prevents unauthorized or anonymous users from executing write operations through REST API, XML-RPC, and Admin- Ajax interfaces. Unlike generic API blockers, this plugin enables _fine-grained control_ over which HTTP methods (POST, PUT/PATCH, DELETE) are allowed, supports whitelist-based exceptions, and protects core endpoints without interfering with legitimate functionalities such as contact form submissions or plugin integrations. ### 🔐 Key Features **REST API Method-Level Blocking** * Independently block POST, PUT/PATCH, and DELETE requests. * Whitelist specific REST routes (prefix match supported) to allow legitimate access (e.g., contact forms). * Configure a custom HTTP status code and error message per request type. **XML-RPC Write Operation Blocking** * Disable only dangerous write-related XML- RPC methods (e.g., `wp.newPost`, `metaWeblog.editPost`) while keeping harmless calls untouched. * Return a custom status code and error message for blocked XML-RPC operations. **Admin-Ajax Write Protection** * Blocks known sensitive write-related Ajax actions( e.g., `save-post`, `upload-attachment`) for unauthenticated users. * Whitelist specific actions used by safe plugins like Contact Form 7. **Flexible Exceptions** * Authenticated users are always allowed by default. * IP Whitelist support (including CIDR ranges) for external systems or trusted clients. **Custom Response Messages** * Return custom error messages and HTTP status codes for each interface: REST, XML-RPC, and Admin-Ajax. This plugin is ideal for hardening your WordPress site without breaking functionality. ## Screenshots * [[ * Settings UI under “Settings” > “API/Write Restriction”. * [[ * REST API write method controls and whitelist management. * [[ * IP whitelist and Ajax action whitelist settings. ## Installation 1. Download the ZIP file and install it from “Plugins” > “Add New” > “Upload Plugin”. 2. OR, unzip the plugin and upload it to the `/wp-content/plugins/` directory. 3. Activate “API Write Blocker” from “Plugins” in the admin panel. 4. Go to “Settings” > “API/Write Restriction” to configure the plugin. ## FAQ ### Will this plugin block Contact Form 7 or similar plugins? No, as long as you whitelist the required routes (e.g., `contact-form-7/v1/contact- forms`) and Ajax actions (e.g., `wpcf7-submit`). The plugin is designed to safely allow necessary requests. ### Is it safe to disable write methods in the REST API? Yes. Many sites do not use REST-based write operations publicly. By default, WordPress allows unauthenticated POST, PUT, and DELETE calls which may be exploited by attackers. This plugin disables them unless explicitly allowed. ### Can I block XML-RPC write methods without disabling XML-RPC entirely? Yes. This plugin blocks only post-related XML-RPC methods and lets other functions like pingbacks or basic metaWeblog info pass, if desired. ### What happens to authenticated users? Authenticated (logged-in) users are always allowed to execute requests. This plugin mainly protects against unauthorized, anonymous, or non-whitelisted users. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “API Write Blocker” is open source software. The following people have contributed to this plugin. Contributors * [ teamredfox ](https://profiles.wordpress.org/teamredfox/) [Translate “API Write Blocker” into your language.](https://translate.wordpress.org/projects/wp-plugins/api-write-blocker) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/api-write-blocker/), check out the [SVN repository](https://plugins.svn.wordpress.org/api-write-blocker/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/api-write-blocker/) by [RSS](https://plugins.trac.wordpress.org/log/api-write-blocker/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0 * Initial release. * REST API write method blocking (POST, PUT/PATCH, DELETE). * XML-RPC method-level write blocking. * Admin-Ajax write action blocking with whitelist. * IP and route/action whitelists. * Custom status code and message per interface. ## Meta * Version **1.0** * Last updated **7 months ago** * Active installations **Fewer than 10** * WordPress version ** 6.8 or higher ** * Tested up to **6.8.5** * PHP version ** 7.4 or higher ** * [Advanced View](https://wordpress.org/plugins/api-write-blocker/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/api-write-blocker/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/api-write-blocker/reviews/) ## Contributors * [ teamredfox ](https://profiles.wordpress.org/teamredfox/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/api-write-blocker/)