Blocks unauthenticated access to vulnerable REST paths. Add paths in Settings → Balada Fix. Only admins can use them.
| Author: | vladanrs (profile at wordpress.org) |
| WordPress version required: | 5.0 |
| WordPress version tested: | 6.9.4 |
| Plugin version: | 1.1.0 |
| Added to WordPress repository: | 26-03-2026 |
| Last updated: | 26-03-2026 |
| Rating, %: | 100 |
| Rated by: | 1 |
| Plugin URI: | |
| Total downloads: | 53 |
 Click to start download |
|
Balada Fix protects your site from unauthenticated abuse of specific WordPress REST API endpoints. Such endpoints (for example the tagDiv theme’s wp-json/tdw/save_css) are often targeted by the “Balada Injector” and similar campaigns to inject malicious scripts.
- Add one or more REST path patterns in Settings Balada Fix (one per line).
- Only logged-in administrators with the
edit_theme_optionscapability can access those paths. - Unauthenticated or unauthorized requests receive a 403 Forbidden response.
Default protected path: tdw/save_css (tagDiv / Newspaper theme vulnerability).
Screenshots
FAQ
ChangeLog