The #1 Security Solution for Headless WordPress. Lock down your REST API, block scrapers, and secure your Next.js/React backend with one click.
| Author: | Md. Rakib Ullah (profile at wordpress.org) |
| WordPress version required: | 5.8 |
| WordPress version tested: | 6.9.1 |
| Plugin version: | 2.2 |
| Added to WordPress repository: | 20-01-2026 |
| Last updated: | 22-02-2026 |
| Rating, %: | 100 |
| Rated by: | 2 |
| Plugin URI: | https://wordpress.org/plugins/headless-rest-a... |
| Total downloads: | 333 |
| Active installs: | 20+ |
 Click to start download |
|
Running a Headless WordPress site often involves exposing the REST API. Headless REST API Security provides tools for administrators to control which endpoints are accessible to the public or external applications.
This plugin restricts public access to REST API endpoints by default and offers a settings interface to allow-list only the specific routes required by a frontend application (such as Next.js, Gatsby, or mobile apps).
Features
- Access Control: Restrict default public access to REST API endpoints.
- Route Allow-Listing: Specific API routes (e.g.,
/wp/v2/posts) can be enabled while others remain restricted. - API Key Authentication: Supports an
X-API-KEYheader for server-to-server or frontend requests. - Headless Redirect: Option to redirect users accessing the backend API URL to a specified frontend domain.
- Admin Access: Logged-in Administrators and Editors retain access to the API to support the Block Editor (Gutenberg) functionality.
- Plugin Support: Detects routes registered by third-party plugins for configuration.
Usage
- Navigate to Settings > Headless Security in the WordPress dashboard.
- Enable the Master Switch to activate the access restrictions.
- Review the list of REST API routes and check the Allow box for endpoints the application requires.
- Copy the generated API Key for use in application headers.
- (Optional) Enter a Headless Frontend URL to configure redirects for visitors.
Screenshots
FAQ
ChangeLog