This post walks through all of the settings provided with REST Pro Tools. These settings are current as of the time of this writing, however the settings may change as the plugin is updated and evolves going forward. If you are an owner of the plugin, you can get a current view of all the settings by simply visiting them, and check the “Help” tab for the latest most current information. For non-owners who want a current view of the plugin settings, you can contact us anytime and we will send some screenshots showing all the latest.
Plugin Settings
Priority Tools
The settings under this tab are the main plugin settings. They give you control over “big picture” stuff. These settings take priority and override all other settings. Here is rundown of each setting under the Priority Tools tab.
Disable REST API
Quickly enable or disable the entire REST API. So it no longer exists functionally. You can disable the entire REST API for all users or visitors (unauthenticated users).
Disable All Routes
Quickly enable or disable all REST API routes. So the REST API remains functionally active, but no routes are available. You can disable all REST API routes for all users or visitors (unauthenticated users).
Disable User Routes
Quickly enable or disable all /users routes. So all other routes are accessible, but all of the /users routes are disabled. You can disable all REST API routes for all users or visitors (unauthenticated users).
Why is this useful? Because by default WordPress reveals sensitive information about each user, specifically user names/slugs. Because of that, a potential attacker is able to obtain every registered user name/slug via the route, /wp/v2/users. While it is possible to manually disable all user routes via the “Manage Access” settings, the Priority setting here makes it fast and easy with just a simple click.
Exclude User IDs
Here you can add any user IDs that always should be allowed access. Even when the entire REST API is disabled. Enter each user ID that should be allowed access. Separate multiple IDs with commas. Note that this setting applies to any REST API request that otherwise would be blocked. This setting also applies to any REST API headers that otherwise would be disabled.
Exclude IP addresses
Here you can add any IP addresses that always should be allowed access. Even when the entire REST API is disabled. Enter each IP address that should be allowed access. Separate multiple IDs with commas. Note that this setting applies to any REST API request that otherwise would be blocked. This setting also applies to any REST API headers that otherwise would be disabled.
For each IP address, you can use any of the following notations:
- Individual IP address, like
123.123.123.123 - Sequential range of IP addresses, like
123.123. - CIDR range of IP addresses, like
123.123.123.123/24
Error Message
This is the error message that is returned whenever the plugin denies access to a request for the REST API. It does not apply when the entire REST API is disabled (first plugin setting). Nor does it apply to errors handled via WordPress core functionality.
Tip: you can include %%error%% in the error message setting to display any specific error message provided by WordPress. It only displays a message if there is a technical error, so it returns blank if the request is denied access.
Status Code
This is the status code that is returned whenever the plugin denies access to a request for the REST API. It does not apply when the entire REST API is disabled (first plugin setting). Nor does it apply to errors handled via WordPress core functionality.
Enforce SSL
This setting determines whether or not SSL/TLS is required in order to access the REST API. It can be set to block or redirect all non-SSL REST API requests.
Disable JSONP
One-click disable WordPress built-in support for JSONP shenanigans. The default is to not disable JSONP.
Reset Options
Last but not least, here is a link to quickly restore all plugin settings to defaults. Note that restoring default settings does not apply to the plugin license (under the License tab).
Manage Access
The settings under this tab give you granular control over each REST API route. Each route can be enabled or disabled per user role. Here are some things to keep in mind while using this tool to manage access to your REST API routes. Note that the “Exclude” settings under the Priority Tools tab apply to all routes under the Manage Access tab.
Choose user role
Use the dropdown/select menu to choose which user role you would like to manage. After choosing the page automatically will reload with settings for the chosen role.
Access options
Directly beneath the dropdown/select menu, you will find access options, either “Manage Access” or “Complete Access”. When Manage Access is selected, all routes will be displayed, so you can enable or disable access for each of them. When Complete Access is selected, all routes will be hidden, and all users with the chosen role will have access.
Disable all routes
When Manage Access is selected, a button will appear that enables you to quickly disable all routes for the chosen user role. After clicking this button, all routes will be disabled, the settings will be saved, and the page will reload. So there is no need to click the “Save Changes” button in this case.
Manage route access
When Manage Access is selected, all routes will be displayed for the chosen user role. Next to each route is a toggle switch. To enable any route, the toggle color should show as a blue or purple color (depending on the current Admin Color Scheme. To disable any route, the toggle color should show as a light grey.
When routes are displayed, the top-level routes are displayed first, and then all secondary routes are displayed (indented) beneath them. Each of the top level routes is a hyperlink (link) that you can click to visit the route in a new browser tab. The links are also useful for quick copy/pasting the URL of any route.
After enabling or disabling any individual routes, remember to click the “Save Changes” button to save your changes.
Auto-enable indicator
Next to the dropdown/select menu where you can choose a user role, you will notice a small circle/dot icon. This is the auto-enable indicator. When it displays as a blue/purple color, it means that any new routes added by WordPress, plugins, or themes will be enabled automatically for the chosen user role. Conversely, if the indicator displays as a light grey color, it means any new routes will be disabled for the chosen role.
REST Headers
Here you can enable or disable default headers and functions for the REST API. For each setting, you can choose to enable or disable for all users, or disable only for unauthenticated users. Here is a summary of the headers and functions that may be disabled or enabled under the REST Headers tab. Note that the “Exclude” settings under the Priority Tools tab apply to all settings below.
- Init Hook — The init hook fires when the REST API is initialized
- Default Filters — After REST API is initialized, default filter hooks are added
- Default Settings — After REST API is initialized, default settings are loaded
- REST API URL — WordPress adds the REST API URL to the RSD endpoint
- REST API Link Tag — WordPress adds a REST API link tag to page headers
- REST API Link Header — WordPress adds an HTTP header for REST API requests
- Cookie Auth — Numerous filters relating to REST API cookie authentication
- oEmbed Functions — Several filters relating to REST API oEmbed functionality
Custom Fields
Under the Custom Fields tab, you can lookup and add any post or user meta fields to the REST API. There are two types of meta fields (aka custom fields) that may be added under the Custom Fields tab:
- Add Post Meta — Any field names added here will be included in the
/postsroute - Add User Meta — Any field names added here will be included in the
/usersroute
Next, here are the steps to add post and user meta..
Add Post Meta
To add any post meta to the /posts route:
- Step 1 — In the “Add Post Meta” menu, choose whether to add post meta for all users, only authenticated users, or no users.
- Step 2 — In the “Add Post Meta” text box, enter the field name(s) (separate multiple names with commas).
- Step 3 — Save changes and done.
Add User Meta
To add any user meta to the /users route:
- Step 1 — In the “Add User Meta” menu, choose whether to add user meta for all users, only authenticated users, or no users.
- Step 2 — In the “Add User Meta” text box, enter the field name(s) (separate multiple names with commas).
- Step 3 — Save changes and done.
Meta Reference
Scroll down a bit to the Meta Reference section. There you will find lists of all the post and user meta that are used on the site. To view either list, click the “Show list” link. To hide the list, click the link again. From there, you can copy/paste any field names into the respective “Add meta” settings above.
Extra Data
The settings under the “Extra Data” tab are very straightforward. Here is a quick summary.
- Site Profile — Include general site information at a custom endpoint
- Page Author Profile — Add author profile information to pages endpoints
- Page Featured Image — Add featured image URLs to pages endpoints
- Post Author Profile — Add author profile information to posts endpoints
- Post Featured Image — Add featured image URLs to posts endpoints
- Post Categories — Include assigned categories for each post
- Post Taxonomy Terms — Include all taxonomy terms for each post
- All Taxonomies — Include all taxonomies for each post type
- All Taxonomy Terms — Include all terms for each taxonomy
Note: each setting provides a link that opens the corresponding REST route (opens in new tab).
More Tools
Three useful tools available under the “More Tools” tab. Let’s look at each of them.
- WP REST API Root — This is the URL of the root REST API route for the current site. It’s just for reference, for your information. Click it to open the root route in a new tab or window.
- WP REST API Status — Here are two tests that check the current status of two native REST routes. This is useful to verify to check if the REST API is working correctly.
- HTTP Request Status — My favorite, here is a tool that enables you to check the response and headers for any valid URL. Simply enter a URL and click the button.
Plugin License
To activate and deactivate your license, visit WP Admin Menu ▸ Settings ▸ REST Pro Tools ▸ License tab.
Your purchase of REST Pro Tools entitles you to free updates and support according to the license terms (Yearly or Lifetime). To view your License Key at any time, follow this guide at Plugin Planet.
To activate your license, follow these steps:
- Visit the “License” tab in the plugin settings
- Enter your license key and click “Save License”
- Click the “Activate License” button
- Done! REST Pro Tools is now enabled and ready to use
For more details, visit the activation guide at Plugin Planet.
Notes
- Important: Remember to deactivate your license before uninstalling (deleting) the plugin, and/or transferring to a new domain. Learn more »
- To deactivate the license at any time, click the “Deactivate License” button. To clear the license field, deactivate the license and then click the small “x” button.
- Alternate activation method. Instead of entering your license on the License screen, you can activate by adding a constant to WordPress
wp-config.phpfile. Learn more »
Get Support
For plugin support, questions, and feedback, send us an email anytime via our contact form. Alternately you may log in to your account and post a topic at Plugin Planet. We usually respond very quickly, but please allow up to 48 hours for a response, thank you.