=== API Write Blocker === Plugin Name: API Write Blocker Description: A security plugin that blocks unauthorized write operations via REST API, XML-RPC, and Admin-Ajax endpoints. Plugin URI: https://p-fox.jp/ Stable tag: 1.0 Author: Red Fox (team Red Fox) Author URI: https://p-fox.jp/ Contributors: teamredfox License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Text Domain: api-write-blocker Domain Path: /languages Requires PHP: 7.4 Requires at least: 6.8 Tested up to: 6.8 A plugin to control the operation of admin-ajax.php, REST API, and xmlrpc. == Description == **API Write Blocker** is a security-focused plugin that prevents unauthorized or anonymous users from executing write operations through REST API, XML-RPC, and Admin-Ajax interfaces. Unlike generic API blockers, this plugin enables *fine-grained control* over which HTTP methods (POST, PUT/PATCH, DELETE) are allowed, supports whitelist-based exceptions, and protects core endpoints without interfering with legitimate functionalities such as contact form submissions or plugin integrations. ### 🔐 Key Features **REST API Method-Level Blocking** * Independently block POST, PUT/PATCH, and DELETE requests. * Whitelist specific REST routes (prefix match supported) to allow legitimate access (e.g., contact forms). * Configure a custom HTTP status code and error message per request type. **XML-RPC Write Operation Blocking** * Disable only dangerous write-related XML-RPC methods (e.g., `wp.newPost`, `metaWeblog.editPost`) while keeping harmless calls untouched. * Return a custom status code and error message for blocked XML-RPC operations. **Admin-Ajax Write Protection** * Blocks known sensitive write-related Ajax actions (e.g., `save-post`, `upload-attachment`) for unauthenticated users. * Whitelist specific actions used by safe plugins like Contact Form 7. **Flexible Exceptions** * Authenticated users are always allowed by default. * IP Whitelist support (including CIDR ranges) for external systems or trusted clients. **Custom Response Messages** * Return custom error messages and HTTP status codes for each interface: REST, XML-RPC, and Admin-Ajax. This plugin is ideal for hardening your WordPress site without breaking functionality. == Installation == 1. Download the ZIP file and install it from "Plugins" > "Add New" > "Upload Plugin". 2. OR, unzip the plugin and upload it to the `/wp-content/plugins/` directory. 3. Activate "API Write Blocker" from "Plugins" in the admin panel. 4. Go to "Settings" > "API/Write Restriction" to configure the plugin. == Frequently Asked Questions == = Will this plugin block Contact Form 7 or similar plugins? = No, as long as you whitelist the required routes (e.g., `contact-form-7/v1/contact-forms`) and Ajax actions (e.g., `wpcf7-submit`). The plugin is designed to safely allow necessary requests. = Is it safe to disable write methods in the REST API? = Yes. Many sites do not use REST-based write operations publicly. By default, WordPress allows unauthenticated POST, PUT, and DELETE calls which may be exploited by attackers. This plugin disables them unless explicitly allowed. = Can I block XML-RPC write methods without disabling XML-RPC entirely? = Yes. This plugin blocks only post-related XML-RPC methods and lets other functions like pingbacks or basic metaWeblog info pass, if desired. = What happens to authenticated users? = Authenticated (logged-in) users are always allowed to execute requests. This plugin mainly protects against unauthorized, anonymous, or non-whitelisted users. == Screenshots == 1. Settings UI under "Settings" > "API/Write Restriction". 2. REST API write method controls and whitelist management. 3. IP whitelist and Ajax action whitelist settings. 4. Custom error message configuration screen. == Changelog == = 1.0 = * Initial release. * REST API write method blocking (POST, PUT/PATCH, DELETE). * XML-RPC method-level write blocking. * Admin-Ajax write action blocking with whitelist. * IP and route/action whitelists. * Custom status code and message per interface. == Upgrade Notice == = 1.0 = Initial release. No upgrade concerns.