Balada Fix protects your site from unauthenticated abuse of specific WordPress REST API endpoints. Such endpoints (for example the tagDiv theme’s wp-json/tdw/save_css) are often targeted by the “Balada Injector” and similar campaigns to inject malicious scripts.
- Add one or more REST path patterns in Settings → Balada Fix (one per line).
- Only logged-in administrators with the
edit_theme_optionscapability can access those paths. - Unauthenticated or unauthorized requests receive a 403 Forbidden response.
Default protected path: tdw/save_css (tagDiv / Newspaper theme vulnerability).