Disable REST API - Version 1.4

Version Description

Tested for WP v4.8
Tested for PHP 5.3+
Added settings screen
Site Admins may now whitelist routes that they wish to allow unauthenticated access to
Added dra_allow_rest_api filter to the is_logged_in() check, so developers can get more granular with permissions
Props to @tangrufus for all of the help that went into this release

Release Info

Developer	dmchale
Plugin	Disable REST API
Version	1.4
Comparing to
See all releases

Code changes from version 1.3 to 1.4

Files changed (10) hide show

admin.php +95 -0
classes/disable-rest-api.php +215 -0
classes/index.php +2 -0
disable-json-api.php +18 -52
functions/index.php +2 -0
functions/legacy.php +16 -0
index.php +2 -0
languages/index.php +2 -0
readme.txt +41 -23
uninstall.php +18 -0

admin.php ADDED Viewed

	@@ -0,0 +1,95 @@


1	+ <style>
2	+ #DRA_container ul li {
3	+ padding-left: 20px;
4	+ }
5	+
6	+ #DRA_container em {
7	+ font-size: 0.8em;
8	+ }
9	+ </style>
10	+
11	+ <script>
12	+ function dra_namespace_click(namespace, id) {
13	+ if (jQuery('#dra_namespace_' + id).is(":checked")) {
14	+ jQuery("input[data-namespace='" + namespace + "']").prop('checked', true);
15	+ } else {
16	+ jQuery("input[data-namespace='" + namespace + "']").prop('checked', false);
17	+ }
18	+ };
19	+ </script>
20	+
21	+ <div class="wrap">
22	+ <h1><?php echo esc_html__( "Disable REST API", "disable-json-api" ); ?></h1>
23	+ <?php settings_errors( 'DRA-notices' ); ?>
24	+ <p><?php echo esc_html__( "By default, this plugin ensures that the entire REST API is protected from non-authenticated users. You may use this page to specify which endpoints should be allowed to behave as normal.", "disable-json-api" ); ?></p>
25	+ <p>
26	+ <strong><?php echo esc_html__( "IMPORTANT NOTE:", "disable-json-api" ); ?></strong> <?php echo esc_html__( "Checking a box merely restores default functionality to an endpoint . Other authentication and/or permissions may still be required for access, or other themes / plugins may also affect access to those endpoints. ", "disable - json - api" ); ?>
27	+ </p>
28	+
29	+ <form method="post" action="" id="DRA_form">
30	+ <?php wp_nonce_field( 'DRA_admin_nonce' ); ?>
31	+
32	+ <div id="DRA_container"><?php DRA_display_route_checkboxes(); ?></div>
33	+
34	+ <?php submit_button(); ?>
35	+ <input type="submit" name="reset"
36	+ value="<?php echo esc_attr__( "Reset Whitelisted Routes", "disable-json-api" ); ?>"
37	+ onclick="return confirm('<?php echo esc_attr__( "Are you sure you wish to clear all whitelisted rules?", "disable-json-api" ); ?>');">
38	+ </form>
39	+ </div>
40	+
41	+ <?php
42	+ /**
43	+ * Loop through all routes returned by the REST API and display them on-screen
44	+ *
45	+ */
46	+ function DRA_display_route_checkboxes() {
47	+ $wp_rest_server = rest_get_server();
48	+ $all_namespaces = $wp_rest_server->get_namespaces();
49	+ $all_routes = array_keys( $wp_rest_server->get_routes() );
50	+ $whitelisted_routes = is_array( get_option( 'DRA_route_whitelist' ) ) ? get_option( 'DRA_route_whitelist' ) : array();
51	+
52	+ $loopCounter = 0;
53	+ $current_namespace = '';
54	+
55	+ foreach ( $all_routes as $route ) {
56	+ $is_route_namespace = in_array( ltrim( $route, "/" ), $all_namespaces );
57	+ $checkedProp = DRA_get_route_checked_prop( $route, $whitelisted_routes );
58	+
59	+ if ( $is_route_namespace \|\| "/" == $route ) {
60	+ $current_namespace = $route;
61	+ if ( 0 != $loopCounter ) {
62	+ echo "</ul>";
63	+ }
64	+
65	+ $route_for_display = ( "/" == $route ) ? "/ <em>" . esc_html__( "REST API ROOT", "disable-json-api" ) . "</em>" : esc_html( $route );
66	+ echo "<h2><label><input name='rest_routes[]' value='$route' type='checkbox' id='dra_namespace_$loopCounter' onclick='dra_namespace_click(\"$route\", $loopCounter)' $checkedProp> $route_for_display</label></h2><ul>";
67	+
68	+ if ( "/" == $route ) {
69	+ echo "<li>" . sprintf( esc_html__( "On this website, the REST API root is %s", "disable-json-api" ), "<strong>" . rest_url() . "</strong>" ) . "</li>";
70	+ }
71	+
72	+ } else {
73	+ echo "<li><label><input name='rest_routes[]' value='$route' type='checkbox' data-namespace='$current_namespace' $checkedProp> " . esc_html( $route ) . "</label></li>";
74	+ }
75	+
76	+ $loopCounter ++;
77	+ }
78	+ echo "</ul>";
79	+ }
80	+
81	+
82	+ /**
83	+ * During comparison, encode the route being requested in the same fashion that it's stored in the database option
84	+ * Encoding during save happens in Disable_REST_API::maybe_process_settings_form()
85	+ *
86	+ * @param $route
87	+ * @param $whitelisted_routes
88	+ *
89	+ * @return string
90	+ */
91	+ function DRA_get_route_checked_prop( $route, $whitelisted_routes ) {
92	+ $is_route_checked = in_array( esc_html( $route ), $whitelisted_routes, true );
93	+
94	+ return checked( $is_route_checked, true, false );
95	+ }

classes/disable-rest-api.php ADDED Viewed

	@@ -0,0 +1,215 @@


1	+ <?php
2	+
3	+ /**
4	+ * Disable_REST_API class
5	+ *
6	+ * Most of the work is done in here
7	+ */
8	+ class Disable_REST_API {
9	+
10	+ const MENU_SLUG = 'disable_rest_api_settings';
11	+ const CAPABILITY = 'manage_options';
12	+
13	+ /**
14	+ * Stores 'disable-json-api/disable-json-api.php' typically
15	+ *
16	+ * @var string
17	+ */
18	+ private $base_file_path;
19	+
20	+
21	+ /**
22	+ * Disable_REST_API constructor.
23	+ *
24	+ * @param $path
25	+ */
26	+ public function __construct( $path ) {
27	+
28	+ // Set variable so the class knows how to reference the plugin
29	+ $this->base_file_path = plugin_basename( $path );
30	+
31	+ add_action( 'admin_menu', array( &$this, 'define_admin_link' ) );
32	+
33	+ add_filter( 'rest_authentication_errors', array( &$this, 'whitelist_routes' ), 20 );
34	+
35	+ }
36	+
37	+
38	+ /**
39	+ * Checks for a current route being requested, and processes the whitelist
40	+ *
41	+ * @param $access
42	+ *
43	+ * @return WP_Error\|null\|boolean
44	+ */
45	+ public function whitelist_routes( $access ) {
46	+
47	+ // Return current value of $access and skip all plugin functionality
48	+ if ( $this->allow_rest_api() ) {
49	+ return $access;
50	+ }
51	+
52	+ $current_route = $this->get_current_route();
53	+
54	+ if ( ! empty( $current_route ) && ! $this->is_whitelisted( $current_route ) ) {
55	+ return $this->get_wp_error( $access );
56	+ }
57	+
58	+ return $access;
59	+
60	+ }
61	+
62	+
63	+ /**
64	+ * Current REST route getter.
65	+ *
66	+ * @return string
67	+ */
68	+ private function get_current_route() {
69	+ $rest_route = $GLOBALS['wp']->query_vars['rest_route'];
70	+
71	+ return ( empty( $rest_route ) \|\| '/' == $rest_route ) ?
72	+ $rest_route :
73	+ untrailingslashit( $rest_route );
74	+ }
75	+
76	+
77	+ /**
78	+ * Checks a route for whether it belongs to the whitelist
79	+ *
80	+ * @param $currentRoute
81	+ *
82	+ * @return boolean
83	+ */
84	+ private function is_whitelisted( $currentRoute ) {
85	+
86	+ return array_reduce( $this->get_route_whitelist_option(), function ( $isMatched, $pattern ) use ( $currentRoute ) {
87	+ return $isMatched \|\| (bool) preg_match( '@^' . htmlspecialchars_decode( $pattern ) . '$@i', $currentRoute );
88	+ }, false );
89	+
90	+ }
91	+
92	+
93	+ /**
94	+ * Get `DRA_route_whitelist` option array from database
95	+ *
96	+ * @return array
97	+ */
98	+ private function get_route_whitelist_option() {
99	+
100	+ return (array) get_option( 'DRA_route_whitelist', array() );
101	+
102	+ }
103	+
104	+
105	+ /**
106	+ * Add a menu
107	+ *
108	+ * @return void
109	+ */
110	+ public function define_admin_link() {
111	+
112	+ add_options_page( esc_html__( 'Disable REST API Settings', 'disable-json-api' ), esc_html__( 'Disable REST API', 'disable-json-api' ), self::CAPABILITY, self::MENU_SLUG, array(
113	+ &$this,
114	+ 'settings_page'
115	+ ) );
116	+ add_filter( "plugin_action_links_$this->base_file_path", array( &$this, 'settings_link' ) );
117	+
118	+ }
119	+
120	+
121	+ /**
122	+ * Add Settings Link to plugins page
123	+ *
124	+ * @param $links
125	+ *
126	+ * @return array
127	+ */
128	+ public function settings_link( $links ) {
129	+
130	+ $settings_url = menu_page_url( self::MENU_SLUG );
131	+ $settings_link = "<a href='$settings_url'>" . esc_html__( "Settings", "disable-json-api" ) . "</a>";
132	+ array_unshift( $links, $settings_link );
133	+
134	+ return $links;
135	+ }
136	+
137	+
138	+ /**
139	+ * Menu Callback
140	+ *
141	+ * @return void
142	+ */
143	+ public function settings_page() {
144	+
145	+ $this->maybe_process_settings_form();
146	+
147	+ // Render the settings template
148	+ include( __DIR__ . "/../admin.php" );
149	+
150	+ }
151	+
152	+
153	+ /**
154	+ * Process the admin page settings form submission
155	+ *
156	+ * @return void
157	+ */
158	+ private function maybe_process_settings_form() {
159	+
160	+ if ( ! ( isset( $_POST['_wpnonce'] ) && check_admin_referer( 'DRA_admin_nonce' ) ) ) {
161	+ return;
162	+ }
163	+
164	+ if ( ! current_user_can( self::CAPABILITY ) ) {
165	+ return;
166	+ }
167	+
168	+ // Catch the routes that should be whitelisted
169	+ $rest_routes = ( isset( $_POST['rest_routes'] ) ) ?
170	+ array_map( 'esc_html', wp_unslash( $_POST['rest_routes'] ) ) :
171	+ null;
172	+
173	+ // If resetting or whitelist is empty, clear the option and exit the function
174	+ if ( empty( $rest_routes ) \|\| isset( $_POST['reset'] ) ) {
175	+ delete_option( 'DRA_route_whitelist' );
176	+ add_settings_error( 'DRA-notices', esc_attr( 'settings_updated' ), esc_html__( 'All whitelists have been removed.' ), 'updated' );
177	+
178	+ return;
179	+ }
180	+
181	+ // Save whitelist to the Options table
182	+ update_option( 'DRA_route_whitelist', $rest_routes );
183	+ add_settings_error( 'DRA-notices', esc_attr( 'settings_updated' ), esc_html__( 'Whitelist settings saved.' ), 'updated' );
184	+
185	+ }
186	+
187	+
188	+ /**
189	+ * Allow carte blanche access for logged-in users (or allow override via filter)
190	+ *
191	+ * @return bool
192	+ */
193	+ private function allow_rest_api() {
194	+ return (bool) apply_filters( 'dra_allow_rest_api', is_user_logged_in() );
195	+ }
196	+
197	+
198	+ /**
199	+ * If $access is already a WP_Error object, add our error to the list
200	+ * Otherwise return a new one
201	+ *
202	+ * @param $access
203	+ *
204	+ * @return WP_Error
205	+ */
206	+ private function get_wp_error( $access ) {
207	+ $error_message = esc_html__( 'DRA: Only authenticated users can access the REST API.', 'disable-json-api' );
208	+ if ( is_wp_error( $access ) ) {
209	+ return $access->add( 'rest_cannot_access', $error_message, array( 'status' => rest_authorization_required_code() ) );
210	+ }
211	+
212	+ return new WP_Error( 'rest_cannot_access', $error_message, array( 'status' => rest_authorization_required_code() ) );
213	+ }
214	+
215	+ }

classes/index.php ADDED Viewed

	@@ -0,0 +1,2 @@


1	+ <?php
2	+ // Silence is golden.

disable-json-api.php CHANGED Viewed

@@ -3,64 +3,30 @@
              * Plugin Name: Disable REST API
              * Plugin URI: http://www.binarytemplar.com/disable-json-api
              * Description: Disable the use of the JSON REST API on your website to anonymous users
-            -
             * Version: 1.3
              * Author: Dave McHale
              * Author URI: http://www.binarytemplar.com
              * License: GPL2+
              */
-            -
            $dra_current_WP_version = get_bloginfo('version');
-            -
-            -
            if ( version_compare( $dra_current_WP_version, '4.7', '>=' ) ) {
-            -
                DRA_Force_Auth_Error();
-            -
            } else {
-            -
                DRA_Disable_Via_Filters();
-            -
            }
-            -
-            -
            //\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
-            -
            //\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
-            -
            //\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
-            -
-            -
            /**
-            -
             * This function is called if the current version of WordPress is 4.7 or above
-            -
             * Forcibly raise an authentication error to the REST API if the user is not logged in
-            -
             */
-            -
            function DRA_Force_Auth_Error() {
-            -
                add_filter( 'rest_authentication_errors', 'DRA_only_allow_logged_in_rest_access' );
+            }
-            -
            /**
-            -
             * This function gets called if the current version of WordPress is less than 4.7
-            -
             * We are able to make use of filters to actually disable the functionality entirely
-            -
             */
-            -
            function DRA_Disable_Via_Filters() {
-            -
-            -
            	// Filters for WP-API version 1.x
-            -
                add_filter( 'json_enabled', '__return_false' );
-            -
                add_filter( 'json_jsonp_enabled', '__return_false' );
-            -
-            -
                // Filters for WP-API version 2.x
-            -
                add_filter( 'rest_enabled', '__return_false' );
-            -
                add_filter( 'rest_jsonp_enabled', '__return_false' );
-            -
                // Remove REST API info from head and headers
-            -
                remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' );
-            -
                remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );
-            -
                remove_action( 'template_redirect', 'rest_output_link_header', 11 );
-            -
+            }
-            -
-            -
            /**
-            -
             * Returning an authentication error if a user who is not logged in tries to query the REST API
-            -
             * @param $access
-            -
             * @return WP_Error
-            -
             */
-            -
            function DRA_only_allow_logged_in_rest_access( $access ) {
-            -
-            -
            	if( ! is_user_logged_in() ) {
-            -
                    return new WP_Error( 'rest_cannot_access', __( 'Only authenticated users can access the REST API.', 'disable-json-api' ), array( 'status' => rest_authorization_required_code() ) );
-            -
                }
-            -
-            -
                return $access;
-            -
-            -
            }


3	* Plugin Name: Disable REST API
4	* Plugin URI: http://www.binarytemplar.com/disable-json-api
5	* Description: Disable the use of the JSON REST API on your website to anonymous users
6	+ * Version: 1.4
7	* Author: Dave McHale
8	* Author URI: http://www.binarytemplar.com
9	+ * Text Domain: disable-json-api
10	+ * Domain Path: /languages
11	* License: GPL2+
12	*/
13
14	+ // If this file is called directly, abort.
15	+ if ( ! defined( 'WPINC' ) ) {
16	+ die;















17	}
18
19	+ // Remove REST API info from head and headers
20	+ remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' );
21	+ remove_action( 'wp_head', 'rest_output_link_wp_head', 10 );
22	+ remove_action( 'template_redirect', 'rest_output_link_header', 11 );









23
24	+ // WordPress 4.7+ disables the REST API via authentication short-circuit.
25	+ // For versions of WordPress < 4.7, disable the REST API via filters
26	+ if ( version_compare( get_bloginfo( 'version' ), '4.7', '>=' ) ) {
27	+ require_once( plugin_dir_path( __FILE__ ) . 'classes/disable-rest-api.php' );
28	+ new Disable_REST_API( __FILE__ );
29	+ } else {
30	+ require_once( plugin_dir_path( __FILE__ ) . 'functions/legacy.php' );
31	+ DRA_Disable_Via_Filters();
32	}

functions/index.php ADDED Viewed

	@@ -0,0 +1,2 @@


1	+ <?php
2	+ // Silence is golden.

functions/legacy.php ADDED Viewed

	@@ -0,0 +1,16 @@


1	+ <?php
2	+ /**
3	+ * This function gets called if the current version of WordPress is less than 4.7
4	+ * We are able to make use of filters to actually disable the functionality entirely
5	+ */
6	+ function DRA_Disable_Via_Filters() {
7	+
8	+ // Filters for WP-API version 1.x
9	+ add_filter( 'json_enabled', '__return_false' );
10	+ add_filter( 'json_jsonp_enabled', '__return_false' );
11	+
12	+ // Filters for WP-API version 2.x
13	+ add_filter( 'rest_enabled', '__return_false' );
14	+ add_filter( 'rest_jsonp_enabled', '__return_false' );
15	+
16	+ }

index.php ADDED Viewed

	@@ -0,0 +1,2 @@


1	+ <?php
2	+ // Silence is golden.

languages/index.php ADDED Viewed

	@@ -0,0 +1,2 @@


1	+ <?php
2	+ // Silence is golden.

readme.txt CHANGED Viewed

	@@ -1,29 +1,31 @@
1	=== Disable REST API ===
2	- Contributors: dmchale
3	Tags: admin, api, json, REST, rest-api, disable
4	- Requires at least: 4.0
5	- ~~Tested~~ ~~up to~~: 4.7
6	- ~~Stable~~ ~~tag~~: 1.3

7	License: GPLv2 or later
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
10	- Disable the use of the JSON REST API on your website to ~~anonymous~~ users.
11
12	== Description ==
13
14	- ** As of ~~WordPress~~ ~~4.7,~~ ~~the~~ ~~filter~~ ~~provided~~ ~~for~~ ~~disabling~~ the REST API ~~has been removed. However, this plugin will now~~
15	- ~~forcibly return an authentication error to any API requests from sources who are not logged into your website, which~~
16	- ~~will~~ ~~effectively~~ ~~still~~ ~~prevent~~ ~~unauthorized~~ ~~requests~~ ~~from~~ ~~using~~ ~~the~~ ~~REST~~ ~~API~~ to ~~get~~ ~~information~~ ~~from~~ ~~your~~ ~~website~~ **



17
18	- ~~The~~ ~~REST~~ ~~API~~ is a ~~project~~ in ~~development~~ ~~via~~ the ~~[JSON~~ REST API~~](https://wordpress~~.~~org/plugins/rest-api/)~~
19	- ~~plugin~~ by ~~Ryan~~ ~~McCue,~~ ~~Rachel~~ ~~Baker,~~ ~~Daniel~~ ~~Bachhuber~~ ~~and~~ ~~Joe~~ ~~Hoyle.~~ ~~The~~ ~~engine~~ ~~for~~ ~~the~~ ~~API~~ ~~has~~ ~~existed~~ ~~in WordPress~~
20	- ~~since~~ ~~v4.4,~~ ~~but~~ ~~additional~~ ~~functionality~~ ~~and~~ ~~endpoints~~ ~~are~~ a ~~continual~~ ~~project.~~ ~~While~~ ~~this~~ is ~~very~~ ~~exciting~~ ~~news~~
21	- for many reasons, it is also not functionality that every site admin is going to want enabled on their website if not
22	- necessary.
23
24	For WordPress versions 4.4, 4.5 and 4.6, this plugin makes use of the `rest_enabled` filter provided by the API to
25	- disable the API functionality. ~~For~~ ~~WordPress~~ ~~4.7+,~~ ~~the~~ ~~plugin~~ ~~will~~ ~~return~~ an ~~authentication~~ ~~error~~ ~~(effectively~~
26	- ~~disabling~~ ~~all~~ ~~endpoints)~~ ~~for~~ ~~any~~ ~~user not logged into the website~~.
27
28	== Installation ==
29
	@@ -34,18 +36,34 @@ area
34
35	== Frequently Asked Questions ==
36
37	- = Is ~~this~~ ~~plugin~~ ~~compatible~~ ~~with~~ ~~__insert~~ ~~other~~ ~~REST~~ ~~API plugin here__~~? =





38
39	- ~~This~~ ~~plugin~~ ~~ONLY~~ ~~uses~~ ~~the~~ ~~filters~~ ~~built into the official WordPress~~ REST API ~~meant~~ ~~for disabling its functionality.~~
40	- ~~So long as your other REST API does not also use those filters to allow itself to be disabled (and it shouldn't), you~~
41	- ~~should~~ be ~~safe~~.


42
43	== Screenshots ==
44
45	- 1. The JSON returned by a website ~~that~~ is ~~protected~~ by ~~this~~ ~~plugin.~~ (~~WordPress~~ versions 4.4, 4.5, 4.6)

46
47	== Changelog ==
48








49	= 1.3 =
50	* Tested for WP v4.7
51	* Adding new functionality to raise authentication errors in 4.7+ for non-logged-in users
	@@ -62,11 +80,11 @@ should be safe.
62
63	== Upgrade Notice ==
64
65	- = 1.3 =
66	- *
67
68	= 1.1 =
69	* Now with support for the 2.0 beta API filters
70
71	= 1.0 =
72	- * Initial Release


1	=== Disable REST API ===
2	+ Contributors: dmchale, tangrufus
3	Tags: admin, api, json, REST, rest-api, disable
4	+ Requires at least: 4.4
5	+ Requires PHP: 5.3
6	+ Tested up to: 4.8
7	+ Stable tag: 1.4
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
11	+ Disable the use of the JSON REST API on your website to unauthenticated users.
12
13	== Description ==
14
15	+ Version 1.4 now supports whitelisting of individual routes within the REST API
16	+
17	+ The engine for the API has existed in WordPress since v4.4, but additional functionality and endpoints are a
18	+ continual project. While this is very exciting news for many reasons - and many plugins, themes, and even pieces of
19	+ WordPress core are already beginning to use the REST API - it is also not functionality that every site admin is going
20	+ to want enabled on their website if not necessary.
21
22	+ As of WordPress 4.7, the filters provided for disabling the REST API were removed. To compensate, this plugin will
23	+ forcibly return an authentication error to any API requests from sources who are not logged into your website, which
24	+ will effectively still prevent unauthorized requests from using the REST API to get information from your website.


25
26	For WordPress versions 4.4, 4.5 and 4.6, this plugin makes use of the `rest_enabled` filter provided by the API to
27	+ disable the API functionality. However, it is strongly recommended that all site owners run the most recent version
28	+ of WordPress except where absolutely necessary.
29
30	== Installation ==
31

36
37	== Frequently Asked Questions ==
38
39	+ = How do I know if this plugin is working? =
40	+
41	+ While logged into WordPress as any user, the REST API will function as intended. Because of this, you must use a new
42	+ browser - or Chrome's incognito mode - to test your website with a clean session. Go to yourdomain.com/wp-json/ (or
43	+ yourdomain.com/?rest_route=/ if you have pretty permalinks disabled) while NOT LOGGED IN to test the results. You will
44	+ see an authentication error returned if the plugin is active. "DRA: Only authenticated users can access the REST API."
45
46	+ = Does this plugin disable all REST API's installed? =
47	+
48	+ This plugin is ONLY meant to disable endpoints accessible via the default REST API that is part of WordPress itself. If
49	+ a plugin or theme chooses to register its namespace with the core REST API, its endpoints will - by default - by
50	+ disabled so long as this plugin is active. Namespaces and routes may be whitelisted via this plugin's Settings page.
51
52	== Screenshots ==
53
54	+ 1. The JSON returned by a website with the API disabled via filters (WP versions 4.4, 4.5, 4.6)
55	+ 2. The JSON returned by a website with the API disabled via authentication methods (WP versions 4.7+)
56
57	== Changelog ==
58
59	+ = 1.4 =
60	+ * Tested for WP v4.8
61	+ * Tested for PHP 5.3+
62	+ * Added settings screen
63	+ * Site Admins may now whitelist routes that they wish to allow unauthenticated access to
64	+ * Added `dra_allow_rest_api` filter to the is_logged_in() check, so developers can get more granular with permissions
65	+ * Props to @tangrufus for all of the help that went into this release
66	+
67	= 1.3 =
68	* Tested for WP v4.7
69	* Adding new functionality to raise authentication errors in 4.7+ for non-logged-in users

80
81	== Upgrade Notice ==
82
83	+ = 1.4 =
84	+ * Adds support to optionally whitelist individual routes of the REST API via Settings page.
85
86	= 1.1 =
87	* Now with support for the 2.0 beta API filters
88
89	= 1.0 =
90	+ * Initial Release

uninstall.php ADDED Viewed

	@@ -0,0 +1,18 @@


1	+ <?php
2	+ /**
3	+ * This file magically runs when the plugin is deleted
4	+ *
5	+ * Direct from https://developer.wordpress.org/plugins/the-basics/uninstall-methods/
6	+ */
7	+
8	+ // if uninstall.php is not called by WordPress, die
9	+ if ( ! defined( 'WP_UNINSTALL_PLUGIN' ) ) {
10	+ die;
11	+ }
12	+
13	+ $option_name = 'DRA_route_whitelist';
14	+
15	+ delete_option( $option_name );
16	+
17	+ // for site options in Multisite
18	+ delete_site_option( $option_name );