MaxtDesign

Configuration

Settings Location

Go to Settings → REST API Control in your WordPress admin.

Global Settings

Disable REST API for Unauthenticated Users

The main toggle. When enabled, all REST API requests from visitors who are not logged in will be blocked with a 401 error — unless the endpoint is whitelisted.

Custom Error Message

Configure the message returned to blocked REST API requests. Default: "REST API access restricted."

This message is returned as a JSON error response with HTTP status 401.

Allow REST API for All Logged-In Users

When enabled (default), any logged-in user has full REST API access — unless their role is specifically restricted in the Per-Role Controls section below.

When disabled, logged-in users are also blocked unless their role has explicit access configured.

Endpoint Whitelist (Unauthenticated Users)

This section shows all registered REST API endpoints on your site, auto-discovered and organized by namespace.

How the Tree Works

  • Namespace checkbox — Whitelists the entire namespace (e.g., checking contact-form-7 allows all CF7 endpoints)
  • Individual route checkboxes — Whitelist specific routes within a namespace
  • Select All / Deselect All — Quick buttons per namespace
  • When a namespace is checked, individual routes are disabled (the whole namespace is allowed)

    • Common Namespaces to Whitelist

  • contact-form-7 — Required for Contact Form 7 submissions
  • wc/store and wc/store/v1 — Required for WooCommerce cart and checkout blocks
  • jetpack — Required for Jetpack features
  • wpforms — Required for WPForms submissions

    • The plugin warns you if it detects an active plugin whose endpoints are not whitelisted.

    Per-Role Controls (Advanced)

    This collapsible section lets you restrict REST API access for specific user roles even when they are logged in.

    How It Works

  • 1.Expand the Per-Role Controls section
  • 2.Check "Restrict [Role Name]" for each role you want to limit
  • 3.A per-role endpoint whitelist appears — configure which endpoints that role can access
  • 4.Unchecked roles have full REST API access (default)

    • Common Use Cases

  • Restrict Subscribers — Prevent subscribers from querying user data or post content via API
  • Restrict Contributors — Limit API access to only what the block editor needs
  • Restrict Authors — Allow content endpoints but block user enumeration

    • Import / Export

    Export

    Click Export Settings to download a JSON file containing all current settings: toggle state, error message, endpoint whitelists, and per-role configurations.

    Import

    Click Choose File, select a previously exported JSON file, then click Import Settings. All settings are validated, sanitized, and merged with defaults before saving.

    Reset to Defaults

    Click Reset to Defaults to clear all settings and return to the plugin's initial state. This action requires confirmation and cannot be undone.

    InstallationFeatures