Support » Plugin: iThemes Security (formerly Better WP Security) » You do not have sufficient permission to access this endpoint.

  • Noticed today that using http://www.skottit.com throws this error below. https://skottit.com works fine.

    {“code”:”itsec_rest_api_access_restricted”,”message”:”You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.”,”data”:{“status”:401}}

    I have already changed REST API from “restricted” to “default” with no change.

    Any help would be appreciated.

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • I have already changed REST API from “restricted” to “default” with no change.

    Possibly due to some sort of caching.

    The interesting thing about this feature is that it’s implemented using the rest_dispatch_request filter hook (line 108 in the better-wp-security/core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php file):

    add_filter( 'rest_dispatch_request', array( $this, 'filter_rest_dispatch_request' ), 10, 4 );

    Since the feature always hooks into the rest_dispatch_request filter it could potentially trigger the restricted message unexpectedly.

    That said there are several checks performed in the hooked callback that will prevent the restricted msg from triggering.

    To prevent any confusion, I’m not iThemes.

    Thread Starter ksmyers

    (@ksmyers)

    Thanks – I have tried flushing the cache after the change. Is that what you mean?

    I’m no developer so this I s not my forte – any suggestion on how to fix?

    Yes.

    This may be related to the line below which seems to be included in the <head></head> section (on https://skottit.com):

    <link rel="alternate" type="application/json" href="https://skottit.com/wp-json/wp/v2/pages/16">

    Not sure why http://www.skottit.com attempts to redirect to https://skottit.com/wp-json/wp/v2/pages/16

    For confirmation perform the following test.

    Make a copy of the better-wp-security/core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php file (on the server hosting the WordPress site).

    Then edit the better-wp-security/core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php file and replace the lines below (lines 365,366,367):

    } else {
    	return $error;
    }

    with:

    } else {
    	$error->add( 'itsec_rest_api_post_or_page', 'Posts or pages endpoint!', array( 'endpoint' => $route_parts[2], 'id' => $route_parts[3]  ) );
    	return $error;
    }

    Save changes.

    Then access http://skottit.com (preferably from the Firefox browser on Windows since the JSON result will automatically be presented in a readable format).

    There should be some additional output that confirms my theory (or not).
    Good luck !

    PS: Don’t forget to undo the change by restoring the file copy afterwards.

    • This reply was modified 1 month, 3 weeks ago by nlpro.

    Correction: You should access the failing link after the change: http://www.skottit.com

    Thread Starter ksmyers

    (@ksmyers)

    Ok tried that and got the same results. Heres from FireFox…

    code “itsec_rest_api_access_restricted”
    message “You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.”
    data
    status 401

    Hmm, make sure you haven’t made the changes on lines 343,344,345.

    The

    } else {
    	return $error;
    }

    lines exist twice in this file and pretty close to one another, so chances are you end up adding the change too soon. The result is no change at all 😉 (It happened to me while testing…).

    Use the link below to determin the right position in the file:

    better-wp-security/core/modules/wordpress-tweaks/class-itsec-wordpress-tweaks.php

    lines 365,366,367 is the right position in the file (second occurrence of the 3 lines of code).

    • This reply was modified 1 month, 3 weeks ago by nlpro.
    Thread Starter ksmyers

    (@ksmyers)

    Just to close this out – this issue turned out to be a caching issue with the hosting provider. Thats it.

    Thanks for the help.

    The thing with caching is that it can happen everywhere.

    Anyway, thanks for the closure msg 😉

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.