ccurtin
4/9/2017 - 12:26 AM

DISMISS PUBLIC ACCESS to WordPress REST API; ONLY ALLOW API ACCESS VIA SAME DOMAIN. ALLOW ADMIN ACCESS FOR ALL THOUGH.... for dynamic IPs...

DISMISS PUBLIC ACCESS to WordPress REST API; ONLY ALLOW API ACCESS VIA SAME DOMAIN. ALLOW ADMIN ACCESS FOR ALL THOUGH.... for dynamic IPs...

Ideally, the Server should be making the requests to the API, not the Client/User. That way, all API access is invalid except from the server. Use CORS and this snippet to block all WP access though.

# - DISMISS PUBLIC ACCESS; ONLY ALLOW API ACCESS VIA OWN DOMAIN 
# - ALLOW ADMIN ACESS FOR ALL
#
# This example is in the "public_html/api/" folder where
# the WP API is installed.
#
RewriteEngine On
# If the referer is not its own domain
RewriteCond %{HTTP_REFERER} !^http?://architectura.com [NC]
# Then make it forbidden if not an admin login th
RewriteRule !^(wp-admin|wp-login\.php) - [F,L,NC]
# Below would block access to ALL directories within "/api", including WP Login pages.
# RewriteRule ^ - [L,F]