Headless REST API Security
Manage access to the WordPress REST API by restricting public endpoints, enabling specific route allow-listing, and handling API key authentication.
5(2 reviews)
·20 active installs·Updated 1 month agoAs of April 2026, Headless REST API Security is a WordPress headless plugin with 20 active installations and a 5/5 rating from 2 reviews. It has been downloaded 333 times in total. Requires WordPress 5.8+ and PHP 7.4+. Available on WordPress.org since 2026. Recently updated within the last 3 months. Top alternative: WPGraphQL.
5/52 reviews
20active installs
333total downloads
3 monthssince 2026
Overview
Running a Headless WordPress site often involves exposing the REST API. Headless REST API Security provides tools for administrators to control which endpoints are accessible to the public or external applications.
This plugin restricts public access to REST API endpoints by default and offers a settings interface to allow-list only the specific routes required by a frontend application (such as Next.js, Gatsby, or mobile apps).
Features
- Access Control: Restrict default public access to REST API endpoints.
- Route Allow-Listing: Specific API routes (e.g.,
/wp/v2/posts) can be enabled while others remain restricted. - API Key Authentication: Supports an
X-API-KEYheader for server-to-server or frontend requests. - Headless Redirect: Option to redirect users accessing the backend API URL to a sp…
Screenshots
Ratings & Reviews
52 reviews
5 ★
2
4 ★
0
3 ★
0
2 ★
0
1 ★
0
Compatibility
| WordPress | 5.8+ requiredTested up to 6.9.4 |
| PHP | 7.4+ required |
Top Alternatives to Headless REST API Security
Frequently Asked Questions
Changelog
2.3
- Fix: Resolved a critical error on the settings page caused by third-party plugin conflicts with REST API initialization.
- Fix: Resolved stable tag and version mismatch issues for WordPress.org compliance.
Contributors
Plugin data sourced from WordPress.org. Analysis and metrics by PluginSift.