A plugin to control the operation of admin-ajax.php, REST API, and xmlrpc.
| Author: | teamredfox (profile at wordpress.org) |
| WordPress version required: | 6.8 |
| WordPress version tested: | 6.8.3 |
| Plugin version: | 1.0 |
| Added to WordPress repository: | 26-10-2025 |
| Last updated: | 26-10-2025 |
| Rating, %: | 0 |
| Rated by: | 0 |
| Plugin URI: | https://profiles.wordpress.org/teamredfox/ |
| Total downloads: | 180 |
 Click to start download |
|
API Write Blocker is a security-focused plugin that prevents unauthorized or anonymous users from executing write operations through REST API, XML-RPC, and Admin-Ajax interfaces.
Unlike generic API blockers, this plugin enables fine-grained control over which HTTP methods (POST, PUT/PATCH, DELETE) are allowed, supports whitelist-based exceptions, and protects core endpoints without interfering with legitimate functionalities such as contact form submissions or plugin integrations.
???? Key Features
REST API Method-Level Blocking
* Independently block POST, PUT/PATCH, and DELETE requests.
* Whitelist specific REST routes (prefix match supported) to allow legitimate access (e.g., contact forms).
* Configure a custom HTTP status code and error message per request type.
XML-RPC Write Operation Blocking
* Disable only dangerous write-related XML-RPC methods (e.g., wp.newPost, metaWeblog.editPost) while keeping harmless calls untouched.
* Return a custom status code and error message for blocked XML-RPC operations.
Admin-Ajax Write Protection
* Blocks known sensitive write-related Ajax actions (e.g., save-post, upload-attachment) for unauthenticated users.
* Whitelist specific actions used by safe plugins like Contact Form 7.
Flexible Exceptions
* Authenticated users are always allowed by default.
* IP Whitelist support (including CIDR ranges) for external systems or trusted clients.
Custom Response Messages
* Return custom error messages and HTTP status codes for each interface: REST, XML-RPC, and Admin-Ajax.
This plugin is ideal for hardening your WordPress site without breaking functionality.
Screenshots
FAQ
ChangeLog