MaxtDesign

Features

How It Works

The plugin uses the rest_authentication_errors filter — the correct, modern WordPress approach — to intercept REST API requests early in the lifecycle.

Request Flow

  • 1.REST API request comes in
  • 2.WordPress runs rest_authentication_errors filter (priority 99)
  • 3.Plugin checks: is the API disabled?
  • 4.If disabled, check: is the user logged in?
  • 5.If logged in: check per-role restrictions and role-specific whitelist
  • 6.If not logged in: check global endpoint whitelist
  • 7.If the route is whitelisted → allow. If not → return 401 error.

    • Blocked requests exit before any endpoint logic executes. This means virtually zero performance impact for blocked requests.

    One-Click Disable

    A single toggle blocks all REST API access for unauthenticated visitors. No configuration needed for the basic use case.

    Endpoint Auto-Discovery

    The plugin discovers all registered REST API endpoints at runtime using WordPress's rest_get_server()->get_routes(). This includes:

  • WordPress core endpoints (wp/v2)
  • Plugin endpoints (contact-form-7, wc/store, jetpack, etc.)
  • Theme endpoints
  • Custom endpoints from any code that registers REST routes

    • Endpoints are organized into a collapsible namespace tree with:

  • Namespace-level checkboxes (whitelist entire namespace)
  • Individual route checkboxes
  • Select All / Deselect All buttons per namespace
  • Route count per namespace

    • Per-Role Access Control

    Beyond the global toggle, you can restrict specific user roles:

  • Each role gets its own restricted/unrestricted toggle
  • Restricted roles get their own endpoint whitelist
  • Role restrictions apply even when "Allow all logged-in users" is enabled
  • Multiple roles on a single user: if ANY role is restricted, the restriction applies

    • Smart Defaults

    On activation, the plugin detects known plugins and whitelists their required endpoints:

  • Contact Form 7contact-form-7 namespace
  • WooCommercewc/store and wc/store/v1 namespaces

    • Compatibility warnings appear on the settings page if it detects an active plugin whose endpoints are not whitelisted.

    Known plugin detection covers: Contact Form 7, WooCommerce, Jetpack, WPForms.

    Performance

  • Zero frontend footprint — No CSS, JavaScript, or HTTP requests on public pages
  • Admin assets load only on the plugin's own settings page (hook_suffix check)
  • Single autoloaded option — One wp_options entry, autoloaded by WordPress
  • In-memory caching — Settings read once per request and cached in PHP property
  • Early exit — Blocked requests return before endpoint logic runs

    • Import / Export

  • Export all settings as JSON (toggle state, whitelists, per-role configs)
  • Import previously exported JSON with full validation and sanitization
  • Reset to defaults with confirmation dialog

    • Clean Uninstall

    When the plugin is deleted (not deactivated):

  • Removes mdra_settings option
  • Multisite: cleans up across all network sites
  • No custom tables, no transients, no user meta to clean

    • Deactivation preserves settings for reactivation.

    Translation Support

    Fully translation-ready with .pot file at languages/maxtdesign-disable-rest-api.pot.

    ConfigurationDeveloper Guide