FREE PRO
Routes & Exposure Control β
The Routes panel gives you visibility and control over every REST API endpoint WordPress exposes. The free tier enforces auth on WordPress core routes and applies rate limiting globally across all routes. Pro adds a per-route policy tree covering all routes β including third-party plugin routes β so you can target endpoints precisely: allow a plugin's licence-check route, block its data-collection endpoint, or restrict a write route to a specific user.
Global Options β
Global settings apply to every route and can be overridden per-route in Pro.
Auth. & Rate Limiting
Enforce Authentication on All Routes β requires a valid authenticated request on WordPress core REST endpoints. Unauthenticated requests are rejected with 401 before reaching WordPress. Third-party plugin routes are left open in the free tier, as exempting individual plugin sub-routes to avoid breakage requires the per-route control available in Pro.
Enforce Rate Limiting on All Routes β applies the global rate-limiting quota (configured in the Auth & Rate Limiting panel) to every route, including third-party plugin routes.
To enforce auth on plugin routes, or to exempt specific routes from auth or rate limiting, use the Per Route Settings tree in Pro.
Disable Routes
Disable specific WordPress core route groups that are rarely needed in headless or API-first setups:
- Disable
/wp/v2/users/*β prevents user enumeration. Available in the free tier. - Disable
oembed/1.0/*β removes oEmbed discovery. PRO - Disable
batch/v1β removes the batch processing endpoint. PRO
Disabled Route Response PRO
Defines how the server responds when a route is disabled β globally or per-route. Available response types:
- 404 Not Found β standard not-found response. The route appears to never have existed.
- 410 Gone β signals the resource was intentionally and permanently removed.
- 301 Custom URL Redirect β permanently redirects to a custom URL you specify.
- 301 WordPress Page Redirect β permanently redirects to a WordPress page selected from the admin.
- Empty (no response) β closes the connection without a body. The server appears to not exist on this route.
Disable HTTP Methods PRO
Globally disables one or more HTTP methods across all routes. Available methods: GET, POST, PUT, PATCH, DELETE.
Example: disabling DELETE globally ensures no client can remove content through the REST API, regardless of per-route settings.
Disable Post Types & Taxonomies PRO
Removes all REST routes for selected post types and taxonomies from the API entirely. When a post type is disabled here, every method on every route under its REST base (e.g. /wp/v2/posts/*) returns the configured disabled-route response.
Use this to hide internal content types from external consumers without touching the WordPress object registration.
Per Route Settings PRO β
The per-route tree lists every registered REST route and lets you apply settings at any level β a top-level namespace, a route path, or an individual HTTP method. Child nodes inherit from their parent unless explicitly overridden.
Route Tree
Routes are displayed as a collapsible tree. Each node shows the path, its effective permission label, and any overrides applied to its descendants.
The permission label reflects the effective state of the route:
- public β no authentication required by WordPress or by the plugin
- protected β WordPress requires authentication but the plugin does not add further constraints
- authenticated β authentication enforced by the plugin
- forbidden β route is disabled
Per-Route Overrides
Click the settings icon on any node to activate a custom override for that route. Once activated, three toggles appear:
- Auth β enforce or exempt authentication specifically on this route, overriding the global setting.
- Rate Limit β enforce or exempt rate limiting on this route.
- Disable β disable this specific route or method. The configured Disabled Route Response is returned.
Click the reset icon to remove the override and restore inheritance from the parent node.
User Restriction
On any HTTP method node, Set users restricts access to a specific list of registered plugin users. When users are set, only requests authenticated as one of those users are allowed through on that method.
This is useful for write-only endpoints that should be accessible to a single service account (e.g. only a designated user may POST to /wp/v2/posts).
Test
Each method node exposes a Test button that fires a live request against that route through the current policy. The result panel shows the HTTP status, response headers, and body β letting you verify auth, rate limiting, and disable behaviour before going to production.
Entry type: Route policy (tree, per-application in Pro)
FAQ β
Does disabling a post type's routes affect the WordPress admin?
No. The plugin only applies to unauthenticated or non-admin REST requests. Authenticated admin requests pass through untouched, so the WordPress admin and Gutenberg continue to work normally.
Will disabling a route break other plugins that use the REST API?
Disabling individual routes is a Pro feature. In the free tier, only /wp/v2/users/* can be disabled globally β all other routes remain accessible. In Pro, route disabling is configured per-application and targets specific paths, so you can safely disable a route for one application without affecting others. Many third-party plugins expose REST routes for licence validation, update checks, or data collection; the Pro route tree lets you audit and control each of those routes individually.
What happens to requests that do not match any application in Pro?
Once applications are enabled, any request that does not match a registered application is blocked.
Can I restrict a route to authenticated requests only without affecting the response schema?
Yes. Enabling Auth on a route does not change the response β it only adds an authentication gate before WordPress processes the request.