前言介紹
- 這款 WordPress 外掛「REST API Guard」是 2022-10-19 上架。
- 目前有 80 個安裝啟用數。
- 上一次更新是 2024-03-20,距離現在已有 410 天。超過一年沒更新,安裝要確認版本是否可用。以及後續維護問題!
- 外掛最低要求 WordPress 6.0 以上版本才可以安裝。
- 外掛要求網站主機運作至少需要 PHP 版本 8.0 以上。
- 有 2 人給過評分。
- 還沒有人在論壇上發問,可能目前使用數不多,還沒有什麼大問題。
外掛協作開發者
sean212 |
外掛標籤
rest-api-guard | alleyinteractive |
內容簡介
控制與限制 REST API 的存取權限。
用途
WordPress 的 REST API 通常很公開,可能會以匿名方式向互聯網共享大量信息。這個外掛旨在使您更輕鬆地限制對 WordPress 網站的 REST API 存取權限。
此外掛可以:
禁用匿名訪問 REST API。
限制和控制按命名空間、路徑等方式的匿名訪問 REST API。
設置頁面
此外掛可以通過設置頁面 (設定 -> REST API 守衛) 或相關篩選器進行配置。
防止訪問使用者信息 (wp/v2/users)
默認情況下,此外掛會限制對使用者端點的匿名訪問。可以在外掛的設置中或通過代碼進行取消:
add_filter( 'rest_api_guard_allow_user_access', fn () => true );
防止訪問索引 (/) 或命名空間端點 (wp/v2)
為了防止匿名使用者瀏覽您的網站並發現設置了哪些插件/文章類型,此外掛會限制存取索引 (/) 和命名空間 (wp/v2) 端點。可以在外掛的設置中或通過代碼進行取消:
// 允許索引存取。
add_filter( 'rest_api_guard_allow_index_access', fn () => true );
// 允許命名空間存取。
add_filter( 'rest_api_guard_allow_namespace_access', fn ( string $namespace ) => true );
限制匿名存取 REST API
此外掛可以在設置中或通過代碼限制任何對 REST API 的匿名存取請求:
add_filter( 'rest_api_guard_prevent_anonymous_access', fn () => true );
限制匿名存取指定命名空間/路由(允許清單)
匿名使用者只能對特定命名空間/路由進行存取。這些路徑之外的請求將被拒絕。可以在外掛的設置中或通過代碼進行配置:
add_filter(
'rest_api_guard_anonymous_requests_allowlist',
function ( array $paths, WP_REST_Request $request ): array {
// 允許未在此處包含的其他路徑都將被拒絕。
$paths[] = 'wp/v2/post';
$paths[] = 'custom-namespace/v1/public/*';
return $paths;
},
10,
2
);
限制匿名存取指定命名空間/路由(拒絕清單)
可以限制匿名使用者存取特定命名空間/路由。這相當於匿名使用者無法訪問特定路徑的拒絕清單。路徑支援與正則匹配。在此允許清單使用的情況下,這種限制將優先進行。可以在外掛的設置中或通過代碼進行配置:
add_filter(
'rest_api_guard_anonymous_requests_denylist',
function ( array $paths, WP_REST_Request $request ): array {
$paths[] = 'wp/v2/user';
$paths[] = 'custom-namespace/v1/private/*';
return $paths;
},
10,
2
);
原文外掛簡介
Restrict and control access to the REST API.
Usage
The WordPress REST API is generally very public and can share a good deal of information with the internet anonymously. This plugin aims to make it easier to restrict access to the REST API for your WordPress site.
Out of the box the plugin can:
Disable anonymous access to the REST API.
Restrict and control anonymous access to the REST API by namespace, path, etc.
Settings Page
The plugin can be configured via the Settings page (Settings -> REST API Guard) or via the relevant filter.
Preventing Access to User Information (wp/v2/users)
By default, the plugin will restrict anonymous access to the users endpoint. This can be prevented in the plugin’s settings or via code:
add_filter( 'rest_api_guard_allow_user_access', fn () => true );
Preventing Access to Index (/) or Namespace Endpoints (wp/v2)
To prevent anonymous users from browsing your site and discovering what plugins/post types are setup, the plugin restricts access to the index (/) and namespace (wp/v2) endpoints. This can be prevented in the plugin’s settings or via code:
// Allow index access.
add_filter( 'rest_api_guard_allow_index_access', fn () => true );
// Allow namespace access.
add_filter( 'rest_api_guard_allow_namespace_access', fn ( string $namespace ) => true );
Restrict Anonymous Access to the REST API
The plugin can restrict anonymous access for any request to the REST API in the plugin’s settings or via code:
add_filter( 'rest_api_guard_prevent_anonymous_access', fn () => true );
Limit Anonymous Access to Specific Namespaces/Routes (Allowlist)
Anonymous users can be granted access only to specific namespaces/routes. Requests outside of these paths will be denied. This can be configured in the plugin’s settings or via code:
add_filter(
'rest_api_guard_anonymous_requests_allowlist',
function ( array $paths, WP_REST_Request $request ): array {
// Allow other paths not included here will be denied.
$paths[] = 'wp/v2/post';
$paths[] = 'custom-namespace/v1/public/*';
return $paths;
},
10,
2
);
Restrict Anonymous Access to Specific Namespaces/Routes (Denylist)
Anonymous users can be restricted from specific namespaces/routes. This acts as
a denylist for specific paths that an anonymous user cannot access. The paths
support regular expressions for matching. The use of the allowlist takes
priority over this denylist. This can be configured in the plugin’s settings or
via code:
add_filter(
'rest_api_guard_anonymous_requests_denylist',
function ( array $paths, WP_REST_Request $request ): array {
$paths[] = 'wp/v2/user';
$paths[] = 'custom-namespace/v1/private/*';
return $paths;
},
10,
2
);
Require JSON Web Token (JWT) Authentication
Anonymous users can be required to authenticate via a JSON Web Token (JWT) to
access the REST API. Users should pass an Authorization: Bearer
with their request. This can be configured in the plugin’s settings or via code:
add_filter( 'rest_api_guard_authentication_jwt', fn () => true );
Out of the box, the plugin will look for a JWT in the Authorization: Bearer
‘wordpress-rest-api’ and issuer of the site’s URL. This can be configured in the
plugin’s settings or via code:
add_filter(
'rest_api_guard_jwt_audience',
function ( string $audience ): string {
return 'custom-audience';
}
);
add_filter(
'rest_api_guard_jwt_issuer',
function ( string $issuer ): string {
return 'https://example.com';
}
);
The JWT’s secret will be autogenerated and stored in the database in the
rest_api_guard_jwt_secret option. The secret can also be changed via code:
add_filter(
'rest_api_guard_jwt_secret',
function ( string $secret ): string {
return 'my-custom-secret';
}
);
Allow JWT Authentication for Authenticated Users
Authenticated users can be authenticated with the REST API via a JSON Web Token.
Similar to the anonymous JWT authentication, users should pass an
Authorization: Bearer header with their request. This can be
configured in the plugin’s settings or via code:
add_filter( 'rest_api_guard_user_authentication_jwt', fn () => true );
Generating JWTs for Anonymous and Authenticated Users
JWTs can be generated by calling the
wp rest-api-guard generate-jwt [–user=] command or using the
Alley\WP\REST_API_Guard\generate_jwt() method:
$jwt = \Alley\WP\REST_API_Guard\generate_jwt(
expiration: 3600, // Optional. The expiration time in seconds from now.
user: 1, // Optional. The user ID to generate the JWT for. Supports `WP_User` or user ID.
);
各版本下載點
- 方法一:點下方版本號的連結下載 ZIP 檔案後,登入網站後台左側選單「外掛」的「安裝外掛」,然後選擇上方的「上傳外掛」,把下載回去的 ZIP 外掛打包檔案上傳上去安裝與啟用。
- 方法二:透過「安裝外掛」的畫面右方搜尋功能,搜尋外掛名稱「REST API Guard」來進行安裝。
(建議使用方法二,確保安裝的版本符合當前運作的 WordPress 環境。
1.0.0 | 1.0.1 | 1.0.2 | 1.0.3 | 1.1.2 | 1.2.0 | 1.2.1 | 1.3.0 | 1.3.1 | 1.3.2 | trunk |
延伸相關外掛(你可能也想知道)
暫無相關外掛推薦。