Support » Plugin: Disable WP REST API » Contact Form 7 Bypass Solution

  • Resolved Darko A7


    Hi Jeff,
    Happy holidays 🙂

    You know that thing when “a new problem” occurs and googling directs to your own post / writing lol?

    related topics:

    Yeah, I noticed in error logs that CF7 failed, and given the errors, this plugin was the main suspect. It was 1.5 years ago when I fixed this with a patch, and you should just ask me what it was back then (haven’t noticed further topics and conversations), because it was a very simple patch.

    I didn’t originally post a solution here, because it was a very simple one, and I thought it would be added as an option in the plugin’s settings, because not everyone needs / wants it (e.g. CF7 is not used by everyone).

    Problem: CF7 not sending emails

    jquery.min.js:2 POST https://.../wp-json/contact-form-7/v1/contact-forms/.../feedback 401 (Unauthorized)
    jquery.min.js:2 XHR failed loading: POST "https://.../wp-json/contact-form-7/v1/contact-forms/.../feedback".
    rest api response
    {"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}

    Solution is simple like this:

    in function disable_wp_rest_api() change the line from:

    if (!is_user_logged_in()) {

    to this:

    if ( !is_user_logged_in() && empty($_POST['_wpcf7']) ) {

    It does not check any security tokens.

    Hopefully, you’ll add this in the future, because with each update it stops working, and that could be very bad for many users, unless they apply this patch.


    The page I need help with: [log in to see the link]

Viewing 14 replies - 31 through 44 (of 44 total)
  • Thread Starter Darko A7


    Granted, user base who will install this plugin can be considered as more advanced than WP newbies, but still it is up to you if you wish to make it a comfortable plugin experience or not. For me this is not an issue, I will continue using modified version, as it “most efficient” in terms of code base.


    Hey again,

    through your plugin upgrade I just now came to read the 2018 comments on , and read about the other much-used disable json plugin. I did not know it existed 🙂

    Anyway, that other plugin also already has whitelisting endpoint options, including CF7. But also The Event Calendar, which I needed.

    Personally, earlier I also decided to cancel Darko’s hack with the CF7 object, and just check on the url, like:

    If (strpos($_SERVER[‘REQUEST_URI’], ‘contact/’)) then … enable.

    This isn’t just applied to the page urls, but also to the ajax urls the json uses, so it can not be circumvented, and this seems to work fine.

    Just FYI. Cheers.

    Plugin Author Jeff Starr



    Yes for more control over which plugins have access, etc. you should go with the other more widely used plugin, Disable REST API. As explained in the linked article, I created my “Disable REST” plugin in response to the other existing options. They were just way more than I needed. I wanted something super lightweight and fast. So I built the absolute lightest fastest plugin possible. So if you need more than the basic disable-REST functionality, use that other plugin is recommended.

    That said, I will take another look at possible extending this plugin with some further functionality, settings, etc. to make it a bit more flexible in terms of allowing specific access to endpoints and whatnot. I appreciate your feedback on this matter.


    For more control over access, endpoints, and the whole bit, check out the very popular Disable REST API plugin. It has all the bells and whistles you could ask for. Thanks to @tezalsec for reminding me about this plugin, and why I decided to create an alternative in the first place.

    Cheers both for the discussion.

    Thread Starter Darko A7


    I used one plugin before that stopped working, that is when I switched to yours. For the time being I’ll continue using your modified version (not first, nor last custom modded plugin in my setup), but maybe in the future switch to the other one.

    I am confused about that plugin from 2018, how is that possible? What I mean, if you already knew about this few years ago, why didn’t you say so in the first place? 🙂

    Issue finally resolved

    • This reply was modified 1 year, 4 months ago by Darko A7.
    Plugin Author Jeff Starr


    “how is that possible? What I mean, if you already knew about this few years ago, why didn’t you say so in the first place?”

    Lol I am only human 🙂

    Thread Starter Darko A7


    I know (I hope lol), it’s just that this issue was known for at least 1.5 years when I reported it back then, but you already posted a solution longer before that in another place in 2018. That’s just strange 🙂

    Anyway it’s all good now.

    Plugin Author Jeff Starr


    “but you already posted a solution longer before that in another place in 2018.”

    Are you referring to this? If so, I just added that yesterday.

    Thread Starter Darko A7


    Oh, all right then. I saw that comments were dated back from 2018 and that confused me along @tezalsec post above – mystery resolved 🙂
    Any comment on the remark that there is no need anymore to block the rest-api ?

    Thread Starter Darko A7


    To each his own, as they say. That statement is preposterous, to be nice. 🙂

    Plugin Author Jeff Starr


    @jseutens remarks don’t prove anything. The author obviously is biased and needs to provide links/references to prove such a claim.

    For Contact Form 7 something is missing.
    The confirmation message below is not shown after submission.

    This add-on seems not enough to execute the ajax script.
    function disable_wp_rest_api_post_var($var) { return ‘_wpcf7’; }
    add_filter(‘disable_wp_rest_api_post_var’, ‘disable_wp_rest_api_post_var’);

    What needs to be added?

    (Error messages for missing/wrong files are shown!

    An the Form is send, but the user can not see that…..

    Unfortunately it still doesn’t work with CF7.
    Pressing submit without filling mandatory fields -> CF7 hangs forever.

    WP 5.7.2, CV7 5.4.1, Disable WP REST API 2.1

    Any updates planned?

    Plugin Author Jeff Starr


    There is no built-in support for CF7 or any other specific plugin. There is however a simple addon that enables CF7 when using Disable WP REST API plugin. You can find it in the FAQs under “How to allow access for Contact Form 7” on the plugin homepage. Download, activate, and done.

Viewing 14 replies - 31 through 44 (of 44 total)
  • The topic ‘Contact Form 7 Bypass Solution’ is closed to new replies.