API Write Blocker is a security-focused plugin that prevents unauthorized or anonymous users from executing write operations through REST API, XML-RPC, and Admin-Ajax interfaces.
Unlike generic API blockers, this plugin enables fine-grained control over which HTTP methods (POST, PUT/PATCH, DELETE) are allowed, supports whitelist-based exceptions, and protects core endpoints without interfering with legitimate functionalities such as contact form submissions or plugin integrations.
🔐 Key Features
REST API Method-Level Blocking
* Independently block POST, PUT/PATCH, and DELETE requests.
* Whitelist specific REST routes (prefix match supported) to allow legitimate access (e.g., contact forms).
* Configure a custom HTTP status code and error message per request type.
XML-RPC Write Operation Blocking
* Disable only dangerous write-related XML-RPC methods (e.g., wp.newPost, metaWeblog.editPost) while keeping harmless calls untouched.
* Return a custom status code and error message for blocked XML-RPC operations.
Admin-Ajax Write Protection
* Blocks known sensitive write-related Ajax actions (e.g., save-post, upload-attachment) for unauthenticated users.
* Whitelist specific actions used by safe plugins like Contact Form 7.
Flexible Exceptions
* Authenticated users are always allowed by default.
* IP Whitelist support (including CIDR ranges) for external systems or trusted clients.
Custom Response Messages
* Return custom error messages and HTTP status codes for each interface: REST, XML-RPC, and Admin-Ajax.
This plugin is ideal for hardening your WordPress site without breaking functionality.
