API Write Blocker

API Write Blocker is a security-focused plugin that prevents unauthorized or anonymous users from executing write operations through REST API, XML-RPC, and Admin-Ajax interfaces.

Unlike generic API blockers, this plugin enables fine-grained control over which HTTP methods (POST, PUT/PATCH, DELETE) are allowed, supports whitelist-based exceptions, and protects core endpoints without interfering with legitimate functionalities such as contact form submissions or plugin integrations.

🔐 Key Features

REST API Method-Level Blocking * Independently block POST, PUT/PATCH, and DELETE requests. * Whitelist specific REST routes (prefix match supported) to allow legitimate access (e.g., contact forms). * Configure a custom HTTP status code and error message per request type.

XML-RPC Write Operation Blocking * Disable only dangerous write-related XML-RPC methods (e.g., wp.newPost, metaWeblog.editPost) while keeping harmless calls untouched. * Return a custom status code and error message for blocked XML-RPC operations.

Admin-Ajax Write Protection * Blocks known sensitive write-related Ajax actions (e.g., save-post, upload-attachment) for unauthenticated users. * Whitelist specific actions used by safe plugins like Contact Form 7.

Flexible Exceptions * Authenticated users are always allowed by default. * IP Whitelist support (including CIDR ranges) for external systems or trusted clients.

Custom Response Messages * Return custom error messages and HTTP status codes for each interface: REST, XML-RPC, and Admin-Ajax.

This plugin is ideal for hardening your WordPress site without breaking functionality.