Internationalization fix so the plugin is translatable via WordPress.org. No functional change.<\/p>","1.0.4":"
Plugin renamed to "MaxtDesign REST API Control." Cosmetic only \u2014 your settings and behaviour are unchanged.<\/p>","1.0.3":"
Fixes route-level whitelisting for parameterized endpoints (namespace whitelisting was already fine) and makes multi-role access most-permissive. Recommended for anyone using per-route or per-role rules.<\/p>","1.0.2":"
Security fix. Closes a fail-open on the REST API root ( WordPress 7.0 compatibility confirmed. Hardens settings import and the activation path. Recommended for all users.<\/p>","1.0.0":" Initial release. Take full control of your WordPress REST API.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3577509,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3577509,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3577509,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3577509,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.5"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3577509,"resolution":"1","location":"assets","locale":"","width":2560,"height":1600},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3577509,"resolution":"2","location":"assets","locale":"","width":2560,"height":1600},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3577509,"resolution":"3","location":"assets","locale":"","width":2560,"height":1600},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3577509,"resolution":"4","location":"assets","locale":"","width":2560,"height":1600}},"screenshots":{"1":"Global settings \u2014 one-click toggle to disable REST API for unauthenticated users.","2":"Endpoint whitelist \u2014 auto-discovered endpoints with collapsible namespace tree.","3":"Per-role controls \u2014 restrict REST API access for individual user roles.","4":"Import\/Export \u2014 easily transfer settings between sites."}},"plugin_section":[],"plugin_tags":[267745,125786,32184,23853,600],"plugin_category":[54],"plugin_contributors":[250063],"plugin_business_model":[],"class_list":["post-326183","plugin","type-plugin","status-publish","hentry","plugin_tags-api-control","plugin_tags-disable-rest-api","plugin_tags-json-api","plugin_tags-rest-api","plugin_tags-security","plugin_category-security-and-spam-protection","plugin_contributors-slaacr","plugin_committers-slaacr"],"banners":{"banner":"https:\/\/ps.w.org\/maxtdesign-rest-api-control\/assets\/banner-772x250.png?rev=3577509","banner_2x":"https:\/\/ps.w.org\/maxtdesign-rest-api-control\/assets\/banner-1544x500.png?rev=3577509","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/maxtdesign-rest-api-control\/assets\/icon-128x128.png?rev=3577509","icon_2x":"https:\/\/ps.w.org\/maxtdesign-rest-api-control\/assets\/icon-256x256.png?rev=3577509","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/maxtdesign-rest-api-control\/assets\/screenshot-1.png?rev=3577509","caption":"Global settings \u2014 one-click toggle to disable REST API for unauthenticated users."},{"src":"https:\/\/ps.w.org\/maxtdesign-rest-api-control\/assets\/screenshot-2.png?rev=3577509","caption":"Endpoint whitelist \u2014 auto-discovered endpoints with collapsible namespace tree."},{"src":"https:\/\/ps.w.org\/maxtdesign-rest-api-control\/assets\/screenshot-3.png?rev=3577509","caption":"Per-role controls \u2014 restrict REST API access for individual user roles."},{"src":"https:\/\/ps.w.org\/maxtdesign-rest-api-control\/assets\/screenshot-4.png?rev=3577509","caption":"Import\/Export \u2014 easily transfer settings between sites."}],"raw_content":"\n MaxtDesign REST API Control<\/strong> gives you complete control over who can access your WordPress REST API and which endpoints are available.<\/p>\n\n By default, WordPress exposes a REST API to the public, which can reveal usernames, post data, and site structure to anyone. This plugin lets you lock down the REST API for unauthenticated visitors while keeping it fully functional for logged-in users and the plugins that need it.<\/p>\n\n The plugin uses the This plugin follows the MaxtDesign performance-first philosophy:<\/p>\n\n This plugin makes no external HTTP requests, sets no cookies, loads no third-party scripts, and collects no analytics. It does not track usage and never \"calls home.\" It stores a single settings option ( No. The plugin only affects REST API requests. Your website's frontend, admin dashboard, and all standard WordPress functionality remain completely unaffected. Logged-in users have full REST API access by default.<\/p><\/dd>\n Yes. Contact Form 7 requires the REST API for form submissions. The plugin automatically detects CF7 on activation and whitelists its endpoints. If you activate CF7 after this plugin, simply check the Yes. The plugin automatically detects WooCommerce on activation and whitelists the Store API endpoints ( Your REST API returns to normal WordPress behavior \u2014 fully open. Your settings are preserved so they'll be restored if you reactivate. Settings are only deleted when you delete<\/strong> the plugin through the WordPress admin.<\/p><\/dd>\n No. By default the plugin only restricts unauthenticated<\/strong> requests, and every logged-in user keeps full REST API access \u2014 so the block editor, which talks to the REST API as the logged-in author, is completely unaffected. The \"Allow REST API for all logged-in users\" toggle is on out of the box specifically to keep the editor, dashboard, and admin AJAX working. You would only see editor issues if you deliberately turn that toggle off and<\/strong> restrict your own role without whitelisting Yes. The Per-Role Controls section lets you restrict REST API access for individual roles (subscriber, contributor, author, editor, etc.) and configure a custom endpoint whitelist for each restricted role.<\/p><\/dd>\n The most permissive role wins. If a user holds any role that is not<\/strong> restricted, they keep full REST API access. If every one of their roles is restricted, the plugin combines the whitelists of all those roles and allows a request that any of them permits. This prevents a single restricted role (for example a stray Yes. The plugin auto-discovers all registered REST API endpoints, including those from themes and other plugins. Any custom endpoints will appear in the whitelist tree.<\/p><\/dd>\n Use the Export Settings button to download a JSON file, then use Import Settings on the other site to upload it.<\/p><\/dd>\n\n<\/dl>\n\n\n\/wp-json\/<\/code>) that left the discovery endpoint exposed even when the plugin was active. Update immediately.<\/p>","1.0.1":"Key Features<\/h4>\n\n
\n
How It Works<\/h4>\n\n
rest_authentication_errors<\/code> filter \u2014 the correct, modern WordPress approach \u2014 to intercept REST API requests early in the lifecycle, before any endpoint logic executes. This means blocked requests have virtually zero performance impact.<\/p>\n\nBuilt for Performance<\/h4>\n\n
\n
Privacy<\/h3>\n\n
mdra_settings<\/code>) in your database and nothing else; that option is removed when you delete the plugin. No personal or visitor data is processed or transmitted.<\/p>\n\n\n\n
maxtdesign-rest-api-control<\/code> folder to \/wp-content\/plugins\/<\/code>.<\/li>\n\n
Will this break my site?<\/h3><\/dt>\n
Does this work with Contact Form 7?<\/h3><\/dt>\n
contact-form-7<\/code> namespace in the endpoint whitelist.<\/p><\/dd>\nDoes this work with WooCommerce?<\/h3><\/dt>\n
wc\/store<\/code>) needed for cart and checkout blocks. The WooCommerce admin API endpoints are available to logged-in users by default.<\/p><\/dd>\nWhat happens when I deactivate the plugin?<\/h3><\/dt>\n
Does this affect the WordPress block editor (Gutenberg)?<\/h3><\/dt>\n
wp\/v2<\/code> \u2014 which the per-role UI makes explicit.<\/p><\/dd>\nCan I restrict specific user roles?<\/h3><\/dt>\n
What happens if a user has more than one role?<\/h3><\/dt>\n
subscriber<\/code> capability) from unexpectedly locking out a user who also has an unrestricted role.<\/p><\/dd>\nDoes this work with custom REST API endpoints?<\/h3><\/dt>\n
How do I transfer settings to another site?<\/h3><\/dt>\n
1.0.5<\/h4>\n\n
\n
maxtdesign-rest-api-control<\/code>) so the plugin can be translated through the WordPress.org translation system. No functional change.<\/li>\n<\/ul>\n\n1.0.4<\/h4>\n\n
\n
1.0.3<\/h4>\n\n
\n
wp\/v2\/posts\/(?P<id>[\\d]+)<\/code> previously stored a corrupted value (the sanitiser mangled the regex) and could never match a real request. Route patterns are now stored intact and matched the way WordPress itself matches them. Namespace-level whitelisting was unaffected.<\/li>\n1.0.2<\/h4>\n\n
\n
\/wp-json\/<\/code>) is now blocked when \"Disable REST API for unauthenticated users\" is on. Previously, the controller's route-lookup returned an empty string for the root index and the code took an early fail-open branch \u2014 meaning the most-scraped discovery URL was always exposed even when the plugin was active. Logged-out visitors and unauthenticated scrapers now hit the configured error response on \/wp-json\/<\/code> like any other endpoint.<\/li>\n<\/ul>\n\n1.0.1<\/h4>\n\n
\n
is_uploaded_file()<\/code> and reads the temp file directly instead of mis-sanitising the server-generated path.<\/li>\nwp-admin\/includes\/plugin.php<\/code> before calling is_plugin_active()<\/code> so WP-CLI and multisite bulk-activate paths can't fatal.<\/li>\nload_plugin_textdomain()<\/code> call. WordPress.org handles translation loading automatically since WP 4.6, and the just-in-time loader added in 6.7 made the explicit call dead code.<\/li>\n<\/ul>\n\n1.0.0<\/h4>\n\n
\n