Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3467049

Timestamp:

02/22/2026 06:46:47 PM (5 weeks ago)

Author:

rakib417

Message:

Fixed bugs and updated version to 2.3

Location:

headless-rest-api-security/trunk

Files:

: 4 edited

headless-rest-api-security.php (modified) (1 diff)
includes/admin.css (modified) (1 diff)
includes/settings.php (modified) (8 diffs)
readme.txt (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

headless-rest-api-security/trunk/headless-rest-api-security.php

-                      r3443475
+                      r3467049
 <?php
 /*
 Plugin Name: Headless REST API Security
 Plugin URI: https://wordpress.org/plugins/headless-rest-api-security/
 Description: Security Solution for Headless WordPress. Lock down your REST API, block scrapers, and secure your Next.js/React backend with one click.
+Version: 2.0
 Author: Md. Rakib Ullah
 Author URI: https://www.linkedin.com/in/rakib417/
 Author Email: rakib417@gmail.com
 Text Domain: headless-rest-api-security
 Domain Path: /languages
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 */
+/**
+ * Plugin Name: Headless REST API Security
+ * Plugin URI: https://wordpress.org/plugins/headless-rest-api-security/
+ * Description: Secure your Headless WordPress REST API by disabling public access, enabling strict route whitelisting, and managing API authentication keys.
+ * Version: 2.2
+ * Author: Md. Rakib Ullah
+ * Author URI: https://www.linkedin.com/in/rakib417/
+ * Author Email: rakib417@gmail.com
+ * Text Domain: headless-rest-api-security
+ * Domain Path: /languages
+ * License: GPLv2 or later
+ * License URI: https://www.gnu.org/licenses/gpl-2.0.html
+ */
 if (!defined('ABSPATH'))
+if (!defined('ABSPATH')) {
     exit;
+}
 // 1. Load Admin Interface

headless-rest-api-security/trunk/includes/admin.css

-                      r3443475
+                      r3467049
+.wrap h1 {
+    color: #0073aa;
+}
+hr {
+    margin: 10px 0;
+}
+.hras-table-wrapper{max-height:600px;overflow-y:auto;border:1px solid #E2E8F0;background:#FFFFFF;margin-top:15px;box-shadow:0 4px 6px -1px rgba(15,23,42,0.05);border-radius:6px}.hras-table{border-collapse:collapse;width:100%;background:#FFFFFF}.hras-table thead th{position:sticky;top:0;z-index:10;background:#F1F5F9;color:#0F172A;padding:15px;font-weight:700;font-size:13px;text-transform:uppercase;letter-spacing:0.5px;text-align:center;border-bottom:2px solid #CBD5E1}.hras-table thead th.allow-header{background:#16A34A;color:#FFFFFF;border-bottom:2px solid #14532d;width:90px}.hras-table td.route-name{text-align:left;padding:12px 15px;width:320px;border-right:1px solid #E2E8F0}.hras-table td.route-name code{font-size:13px;font-family:'SFMono-Regular',Consolas,'Liberation Mono',Menlo,monospace;color:#94A3B8;background:transparent;transition:color 0.2s ease}.hras-table td{text-align:center;vertical-align:middle;border-bottom:1px solid #E2E8F0;padding:10px}.hras-table td.enable-col{background-color:#DCFCE7;border-right:1px solid #E2E8F0}tr.active-row td{background-color:#FFFFFF}tr.active-row td.route-name code{color:#0F172A;font-weight:600}table.hras-table.widefat{border-left:4px solid #2563eb63}tr[data-type="core"] td.route-name{border-left:4px solid #2563eb63}tr[data-type="plugin"] td.route-name{border-left:4px solid #757272a8}tr.active-row[data-type="core"] td.route-name{border-left-color:#2563EB;background:#EFF6FF}tr.active-row[data-type="plugin"] td.route-name{border-left-color:#0F172A}input[disabled]{opacity:0.3;cursor:not-allowed;filter:grayscale(100%)}input[type="checkbox"]{transform:scale(1.3);border:1px solid #94A3B8;border-radius:4px;background:#FFFFFF;cursor:pointer;transition:all 0.2s ease;appearance:none;-webkit-appearance:none;width:16px;height:16px;position:relative}input[type="checkbox"]::after{content:'';position:absolute;display:none;left:5px;top:1px;width:4px;height:9px;border:solid white;border-width:0 2px 2px 0;transform:rotate(45deg)}input[type="checkbox"]:checked{background-color:#16A34A;border-color:#16A34A}input[type="checkbox"]:checked::after{display:block}input[type="checkbox"]:focus{box-shadow:0 0 0 2px #DCFCE7;border-color:#16A34A;outline:none}.hras-table tbody tr:hover td{background-color:#F8FAFC}.hras-table tbody tr:hover td.enable-col{background-color:#bbf7d0}

headless-rest-api-security/trunk/includes/settings.php

-                      r3443475
+                      r3467049
+}
+/**
+ * 1. ENQUEUE SCRIPTS & STYLES
+ */
+function hras_enqueue_assets($hook)
+{
+    // Only load on our specific settings page
+    // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+    if (isset($_GET['page']) && $_GET['page'] !== 'hras-settings' && $_GET['page'] !== 'headless-rest-api-security') {
+        return;
+    }
+    // A. Enqueue the CSS file
+    wp_enqueue_style('hras-admin-style', plugin_dir_url(__FILE__) . 'admin.css', array(), '2.2');
+    // B. Add the Javascript Logic (Inline)
+    $custom_js = "
+    document.addEventListener('DOMContentLoaded', function () {
+        const rows = document.querySelectorAll('.hras-row');
+        rows.forEach(row => {
+            const masterToggle = row.querySelector('.row-master-toggle');
+            const methodChecks = row.querySelectorAll('.method-check');
+            if(masterToggle) {
+                masterToggle.addEventListener('change', function () {
+                    const isEnabled = this.checked;
+                    if (isEnabled) {
+                        row.classList.add('active-row');
+                        methodChecks.forEach(box => { box.removeAttribute('disabled'); box.checked = true; });
+                    } else {
+                        row.classList.remove('active-row');
+                        methodChecks.forEach(box => { box.setAttribute('disabled', 'disabled'); box.checked = false; });
+                    }
+                });
+            }
+        });
+    });
+    ";
+    wp_add_inline_script('jquery-core', $custom_js);
+}
+add_action('admin_enqueue_scripts', 'hras_enqueue_assets');
+/**
+ * 2. REGISTER SETTINGS
+ */
 add_action('admin_init', 'hras_register_settings');
 function hras_register_settings()
+{
-    // Simple integer sanitization
     register_setting('hras_settings_group', 'hras_enabled', 'intval');
-    // URL sanitization
     register_setting('hras_settings_group', 'hras_headless_redirect', 'esc_url_raw');
-    // Text sanitization
     register_setting('hras_settings_group', 'hras_api_key', 'sanitize_text_field');
     register_setting('hras_settings_group', 'hras_allowed_domain', 'sanitize_text_field');
-    // Custom callback for array sanitization
     register_setting('hras_settings_group', 'hras_whitelisted_routes', 'hras_sanitize_routes_cb');
 …
+}
-/**
- * Custom Sanitization Callback for Route Array
- */
 function hras_sanitize_routes_cb($input)
+{
 …
         return array();
+    }
     $clean = array();
     foreach ($input as $route => $methods) {
 …
+}
 /* 🌟 GRID UI WITH SMART SORTING 🌟 */
+/* 🌟 GRID UI CALLBACK 🌟 */
 function hras_routes_grid_cb()
+{
+    // FIX: Added phpcs ignore comment because we are intentionally triggering a Core hook
+    if (!did_action('rest_api_init')) {
+        // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+        do_action('rest_api_init');
+    }
+    // Safely load the REST server without crashing other plugins
     $server = rest_get_server();
+    // Safety check: if server is missing (rare), create a dummy to prevent fatal error
+    if (!$server) {
+        $server = new WP_REST_Server();
+        // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+        do_action('rest_api_init', $server);
+    }
+    $all_routes = array_keys($server->get_routes());
+    $all_routes = $server ? array_keys($server->get_routes()) : array();
     $saved_rules = get_option('hras_whitelisted_routes', array());
     $http_methods = array('GET', 'POST', 'PUT', 'DELETE');
-    // 1. Consolidate Routes
     $display_routes = array();
     foreach ($all_routes as $route) {
 …
             continue;
+        }
         $parts = explode('/', trim($route, '/'));
         $is_core = (isset($parts[0], $parts[1]) && $parts[0] === 'wp' && $parts[1] === 'v2');
 …
+    }
+    // 2. Custom Sorting
+    uksort(
+        $display_routes,
+        function ($a, $b) {
+            $priority_map = array(
+                '/wp/v2/posts' => 10,
+                '/wp/v2/pages' => 20,
+                '/wp/v2/users' => 40,
+                '/wp/v2' => 80,
+                '/' => 999,
+            );
+            $get_score = function ($route) use ($priority_map) {
+                foreach ($priority_map as $key => $score) {
+                    if (strpos($route, $key) === 0) {
+                        return $score;
+                    }
+    uksort($display_routes, function ($a, $b) {
+        $priority_map = array('/wp/v2/posts' => 10, '/wp/v2/pages' => 20, '/wp/v2/users' => 40, '/wp/v2' => 80, '/' => 999);
+        $get_score = function ($route) use ($priority_map) {
+            foreach ($priority_map as $key => $score) {
+                if (strpos($route, $key) === 0) {
+                    return $score;
+                }
-                return 999;
-            };
-            $score_a = $get_score($a);
-            $score_b = $get_score($b);
-            if ($score_a !== $score_b) {
-                return $score_a - $score_b;
+            }
+            return strcmp($a, $b);
+        }
+    );
+            return 999;
+        };
+        $score_a = $get_score($a);
+        $score_b = $get_score($b);
+        return ($score_a !== $score_b) ? $score_a - $score_b : strcmp($a, $b);
+    });
     ?>
-    <style>
-        .hras-table-wrapper {
-            max-height: 600px;
-            overflow-y: auto;
-            border: 1px solid #c3c4c7;
-            background: #fff;
+        }
-        .hras-table {
-            width: 100%;
-            border-collapse: collapse;
+        }
-        .hras-table th {
-            position: sticky;
-            top: 0;
-            background: #f0f0f1;
-            z-index: 10;
-            padding: 12px;
-            text-align: center;
-            border-bottom: 2px solid #c3c4c7;
+        }
-        .hras-table td {
-            border-bottom: 1px solid #eee;
-            padding: 8px;
-            text-align: center;
-            vertical-align: middle;
+        }
-        .hras-table td.route-name {
-            text-align: left;
-            background: #f9f9f9;
-            font-family: monospace;
-            font-weight: 600;
-            color: #d63638;
-            border-right: 1px solid #eee;
-            padding-left: 15px;
+        }
-        .enable-col {
-            background-color: #e5f5fa !important;
-            border-right: 1px solid #eee;
+        }
-        tr.active-row td.route-name {
-            color: #008a20;
-            background-color: #f6f7f7;
+        }
-        input[disabled] {
-            opacity: 0.3;
-            cursor: not-allowed;
+        }
-        tr[data-type="plugin"] td.route-name {
-            border-left: 4px solid #0073aa;
+        }
-        tr[data-type="core"] td.route-name {
-            border-left: 4px solid #d63638;
+        }
-        tr.active-row[data-type="core"] td.route-name {
-            border-left-color: #00a32a;
+        }
-    </style>
     <div class="hras-table-wrapper">
         <table class="hras-table">
+        <table class="hras-table widefat">
             <thead>
                 <tr>
                     <th style="text-align:left; min-width: 250px;">Main API Path</th>
                     <th style="width: 80px; background:#dcdcde; color:#000;">ALLOW</th>
+                    <th class="route-header">Main API Path</th>
+                    <th class="allow-header">ALLOW</th>
                     <?php foreach ($http_methods as $method): ?>
                         <th style="width: 80px;">
+                        <th class="method-header">
                             <?php echo esc_html($method); ?>
                         </th>
 …
                     $is_row_active = !empty($saved_rules[$route]);
                     $row_class = $is_row_active ? 'hras-row active-row' : 'hras-row';
+                    // Determine if it's Core or Plugin for CSS styling
                     $row_type = (strpos($route, '/wp/v2') === 0) ? 'core' : 'plugin';
                     ?>
+                    <tr class="<?php echo esc_attr($row_class); ?>" id="row-<?php echo esc_attr($row_id); ?>"
+                        data-type="<?php echo esc_attr($row_type); ?>">
+                    <tr class="<?php echo esc_attr($row_class); ?>" data-type="<?php echo esc_attr($row_type); ?>">
                         <td class="route-name">
                             <?php echo esc_html($route); ?>
+                            <code><?php echo esc_html($route); ?></code>
                         </td>
+                        <td class="enable-col"><input type="checkbox" class="row-master-toggle" <?php checked($is_row_active, true); ?>></td>
+                        <?php
+                        foreach ($http_methods as $method):
+                        <td class="enable-col">
+                            <input type="checkbox" class="row-master-toggle" <?php checked($is_row_active, true); ?>>
+                        </td>
+                        <?php foreach ($http_methods as $method):
                             $is_checked = isset($saved_rules[$route][$method]) ? 'checked' : '';
                             $field_name = 'hras_whitelisted_routes[' . esc_attr($route) . '][' . esc_attr($method) . ']';
                             $disabled_attr = $is_row_active ? '' : 'disabled';
                             ?>
                             <td class="check-col"><input type="checkbox" name="<?php echo esc_attr($field_name); ?>" value="1"
                                     class="method-check" <?php echo esc_attr($is_checked); ?>
                                 <?php echo esc_attr($disabled_attr); ?>>
+                            <td class="check-col">
+                                <input type="checkbox" name="<?php echo esc_attr($field_name); ?>" value="1" class="method-check"
+                                    <?php echo esc_attr($is_checked); ?>             <?php echo esc_attr($disabled_attr); ?>>
                             </td>
                         <?php endforeach; ?>
 …
         </table>
     </div>
-    <script>
-        document.addEventListener('DOMContentLoaded', function () {
-            const rows = document.querySelectorAll('.hras-row');
-            rows.forEach(row => {
-                const masterToggle = row.querySelector('.row-master-toggle');
-                const methodChecks = row.querySelectorAll('.method-check');
-                masterToggle.addEventListener('change', function () {
-                    const isEnabled = this.checked;
-                    if (isEnabled) {
-                        row.classList.add('active-row');
-                        methodChecks.forEach(box => { box.removeAttribute('disabled'); box.checked = true; });
-                    } else {
-                        row.classList.remove('active-row');
-                        methodChecks.forEach(box => { box.setAttribute('disabled', 'disabled'); box.checked = false; });
+                    }
-                });
-            });
-        });
-    </script>
     <?php
+}

headless-rest-api-security/trunk/readme.txt

-                      r3443475
+                      r3467049
 === Headless REST API Security ===
 Contributors: rakib417
 Tags: headless, rest api, security, authentication
+Tags: headless, rest api, access control, authentication, permissions
 Requires at least: 5.8
 Tested up to: 6.9
 Requires PHP: 7.1
 Stable tag: 2.0
+Requires PHP: 7.4
+Stable tag: 2.3
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 The #1 Security Solution for Headless WordPress. Lock down your REST API, block scrapers, and secure your Next.js/React backend with one click.
+Manage access to the WordPress REST API by restricting public endpoints, enabling specific route allow-listing, and handling API key authentication.
 == Description ==
+**Headless REST API Security is the "Swiss Army Knife" of API protection for WordPress.**
+Running a Headless WordPress site often involves exposing the REST API. Headless REST API Security provides tools for administrators to control which endpoints are accessible to the public or external applications.
 If you are running a Headless WordPress site (Next.js, Gatsby, Nuxt, or Mobile App), your REST API is **exposed to the public** by default. This leaves your data vulnerable to scrapers, bots, and unauthorized users.
+This plugin restricts public access to REST API endpoints by default and offers a settings interface to allow-list only the specific routes required by a frontend application (such as Next.js, Gatsby, or mobile apps).
+**Headless REST API Security** solves this instantly. It is the **FIRST** and **ONLY** plugin designed specifically to lock down Headless architectures with a "Strict Whitelist" model. We give you the power to disable ALL API routes by default and only allow exactly what your app needs.
+### Features
+### 📺 Video Tutorial: How to Configure
+Watch this step-by-step guide to see how to lock down your API in under 2 minutes:
+* **Access Control:** Restrict default public access to REST API endpoints.
+* **Route Allow-Listing:** Specific API routes (e.g., `/wp/v2/posts`) can be enabled while others remain restricted.
+* **API Key Authentication:** Supports an `X-API-KEY` header for server-to-server or frontend requests.
+* **Headless Redirect:** Option to redirect users accessing the backend API URL to a specified frontend domain.
+* **Admin Access:** Logged-in Administrators and Editors retain access to the API to support the Block Editor (Gutenberg) functionality.
+* **Plugin Support:** Detects routes registered by third-party plugins for configuration.
+https://www.youtube.com/watch?v=h4l3c5GRxd4
+### Usage
+---
+🛑 **STOP** unauthorized data scraping.
+🔒 **SECURE** your content and user data.
+🚀 **BOOST** performance by blocking bad requests.
+### 🚀 Why Headless REST API Security is the Best Choice?
+We didn't just build a security plugin; we built a **Headless Firewall**. Unlike generic security plugins that only look for malware, we control the flow of data itself.
+* **🛡️ Strict Security Mode (Whitelist):** The only plugin that blocks 100% of API requests by default. You choose what to unlock.
+* **↩️ Smart Headless Redirects:** Automatically redirects visitors who find your backend URL (e.g., `api.yoursite.com`) directly to your frontend (e.g., `www.yoursite.com`).
+* **🔑 API Key Authentication:** Secure your mobile apps and frontend fetch requests with a simple, secure `X-API-KEY` header.
+* **⚡ Blazing Fast Performance:** Runs before WordPress loads most core files, ensuring blocked requests don't slow down your server.
+* **🕵️ Admin Bypass:** Smart detection allows logged-in Administrators to use the WP Dashboard and Gutenberg Block Editor without interruption.
+---
+### 🔥 Features at a Glance
+* **1-Click Lockdown:** Instantly secure your entire REST API.
+* **Route-Level Control:** Enable specific endpoints like `/wp/v2/posts` while keeping `/wp/v2/users` hidden.
+* **Smart Grouping:** Automatically groups routes (Core vs. Plugins) for easy management.
+* **Domain Binding:** Restrict API access to *only* your frontend domain.
+* **Plugin Compatibility:** Works perfectly with Rank Math, WooCommerce, Contact Form 7, and ACF.
+* **Developer Friendly:** Clean code, native WordPress hooks, and zero bloat.
+---
+### 💡 Perfect For:
+* **Headless Sites:** Next.js, Gatsby, Frontity, Faust.js, Nuxt.js.
+* **Mobile Applications:** React Native, Flutter, iOS, Android.
+* **Static Sites:** Jamstack architectures needing secure dynamic data.
+* **Intranets:** Private internal dashboards.
+---
+### 🏗️ How It Works
+.  **Activate** the plugin.
+.  **Turn On** the "Master Switch" to block all public access.
+.  **Whitelist** only the routes your frontend needs (e.g., `/wp/v2/posts`).
+.  **Add** your API Key to your frontend environment variables.
+.  **Relax!** Your API is now invisible to the rest of the world.
+> "Security is not an option; it's a necessity. Headless REST API Security makes it simple."
+---
+### ❤️ Love Headless REST API Security?
+If this plugin helped you secure your site, please **rate us 5 stars** on WordPress.org! It helps us keep updates coming.
+. Navigate to **Settings > Headless Security** in the WordPress dashboard.
+. Enable the **Master Switch** to activate the access restrictions.
+. Review the list of REST API routes and check the **Allow** box for endpoints the application requires.
+. Copy the generated **API Key** for use in application headers.
+. (Optional) Enter a **Headless Frontend URL** to configure redirects for visitors.
 == Installation ==
+. Upload the `headless-rest-api-security` folder to the `/wp-content/plugins/` directory.
+. Activate the plugin through the 'Plugins' menu in WordPress.
+. Go to the **Headless Security** menu in your dashboard sidebar.
+. Enable "Master Switch" to turn on Strict Mode.
+. Set your "Headless Frontend URL" to enable redirects.
+== Configuration ==
+**1. Headless Redirect (New)**
+Enter your frontend URL (e.g., `https://www.mysite.com`) in the "Headless Frontend URL" field.
+* Visitors to your API site will now be redirected there.
+* `/wp-admin` and `/wp-json` requests are excluded from redirection.
+**2. Whitelisting Routes**
+Check the "ALLOW" box next to any route you want to make public (to your frontend).
+* **Note:** You must enable the "Master Switch" for the blocking to take effect.
+**3. Setting up the API Key**
+Copy the API Key generated in the settings page. Add it to your frontend requests header:
+`X-API-KEY: your_secret_key_here`
+. Upload the plugin files to the `/wp-content/plugins/headless-rest-api-security` directory, or install the plugin through the WordPress plugins screen.
+. Activate the plugin through the 'Plugins' screen in WordPress.
+. Go to the **Headless Security** menu to configure allowed routes.
 == Frequently Asked Questions ==
 = Does this plugin replace WordPress authentication? =
 No. It adds a security firewall layer *before* WordPress processes the request. It works alongside existing auth methods (like JWT or Cookies).
+= Does this modify WordPress Core files? =
+No. The plugin uses standard WordPress hooks (`rest_authentication_errors` and `template_redirect`) to manage access.
 = Will this break the Block Editor (Gutenberg)? =
 No. The plugin includes an "Admin Bypass" feature. If you are logged in as an Administrator or Editor, the API restrictions are skipped so you can work normally.
+= Will this affect the Block Editor (Gutenberg)? =
+The plugin checks for logged-in users with the `edit_posts` capability, allowing the backend editor to function normally while restrictions are active.
 = Can I use this with Rank Math, WooCommerce, or CF7? =
 Yes. The plugin automatically detects routes registered by other plugins. You can see them in the list and whitelist them (e.g., `/wc/v3` or `/contact-form-7/v1`).
+= Can I use this with custom endpoints? =
+Yes. Registered REST API routes appear in the settings list and can be allow-listed.
+= What happens if I lose my API Key? =
+You can view or generate a new key anytime from the settings page.
+= Where is the API Key placed? =
+The key is sent in the request header. Example:
+`X-API-KEY: your_generated_key_here`
 == Screenshots ==
 . **Dashboard:** The main settings interface with the Master Switch and Redirect options.
 . **Whitelist Grid:** The smart list of API routes allowing you to toggle access.
+. **General Settings:** The main configuration screen with the Master Switch and Redirect URL options.
+. **Route Manager:** The grid view for allowing or restricting specific API namespaces and endpoints.
 == Changelog ==
+= 2.0 =
+* New: Added Headless Redirect to main domain function.
+* New: Introduced Strict Security (Whitelist) mode.
+* New: Added Smart Grouping for cleaner route management.
+* Improvement: Added Admin Bypass for logged-in users.
+= 2.3 =
+* Fix: Resolved a critical error on the settings page caused by third-party plugin conflicts with REST API initialization.
+* Fix: Resolved stable tag and version mismatch issues for WordPress.org compliance.
+= 1.1.0 =
+* Added dynamic REST route detection.
+* Added route-level access control.
+* Editable API key.
+* Domain binding support.
+= 2.2 =
+* Updated UI styles for better accessibility.
+* Improved checkbox contrast.
+= 1.0.0 =
+* Initial Release.
+== Upgrade Notice ==
+= 2.1 =
+* Minor code improvements.
 = 2.0 =
+Major update introducing Strict Whitelist Mode and Headless Redirects. Please review your allowed routes after upgrading.
+* Added route allow-listing functionality.
+* Added headless frontend redirect feature.
+* Added admin bypass for authenticated users.
+== Contact ==
+Author: Md. Rakib Ullah
+Email: rakib417@gmail.com
+Linkedin: https://www.linkedin.com/in/rakib417/
+= 1.0 =
+* Initial release.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: