cedaro/wprestcop

A WordPress plugin for managing access to the WP REST API.

Maintainers

Details

github.com/cedaro/wprestcop

Homepage

Source

Issues

Installs: 169

Dependents: 0

Suggesters: 0

Security: 0

Stars: 70

Watchers: 11

Forks: 11

Open Issues: 2

Type:wordpress-plugin

v1.0.0 2016-02-06 01:31 UTC

Requires

Requires (Dev)

GPL-2.0+ 818de512ab02885fc32f6719cc1b105af09ed519

wordpress

This package is auto-updated.

Last update: 2024-12-29 05:04:45 UTC

README

Manage access to the WP REST API with rate limits and IP-based rules.

Contributors: Brady Vercher Requires: WP 4.4+, PHP 5.4+ Tested up to: 4.4 License: GPL-2.0+

Rate Limits

Rate limits allow for configuring the number of requests a client can make within a certain interval. The default in WP Rest Cop is 500 requests per hour.

The rate limit functionality requires a persistent object cache.

Headers

A few headers are sent with every request so clients can keep track of their current limit:

If client has reached their limit, an additional header will be sent.

Clients may send a HEAD request to view their current limit without ticking the meter.

Configuring Settings

Configure the default limit and interval settings using the simple API from the main plugin instance:

<?php
/**
 * Set the rate limit to 10 requests every 5 minutes.
 */
add_action( 'wprestcop_plugin_loaded', function( $wprestcop ) {
	$wprestcop
		->set_limit( 10 )
		->set_interval( 5 * MINUTE_IN_SECONDS );
} );

Settings can also be configured with the built-in WP CLI commands.

Disable Rate Limiting

If you just want the IP rules functionality and want to disable the rate limits, set the interval to -1.

IP Rules

IP rules can be configured globally, or at the route level as a simple whitelist or blacklist.

Global Configuration

<?php
/**
 * Global IP rules configuration.
 */
add_action( 'wprestcop_plugin_loaded', function( $wprestcop ) {
	$wprestcop->get_ip_rules()
		->allow( '192.168.50.4' ); // Also accepts an array of IP addresses.

	// Or...

	$wprestcop->get_ip_rules()
		->deny( '66.249.66.1' ); // Also accepts an array of IP addresses.
} );

When allowing an IP address, the policy is to deny any requests from IPs not in the whitelist.

The opposite is true when denying IP addresses. All IPs not in the blacklist will have access.

Global IP rules can also be configured with the built-in WP CLI commands.

Route Configuration

Routes may also be configured with their own IP rules:

<?php
/**
 * Register routes.
 */
add_action( 'rest_api_init', function () {
    register_rest_route( 'myplugin/v1', '/internal/(?P<id>\d+)', [
        'methods'  => 'GET',
        'callback' => 'my_awesome_expensive_func',
        'ips'      => [
            'allow' => [ '192.168.50.4' ],
            'deny'  => [ '66.249.66.1' ],
        ]
    ] );
} );

WP CLI Commands

A few WP CLI commands are included to configure the plugin without requiring code.

Potential Roadmap

  • Support for logging various events.
  • Additional rate limit strategies.
  • More route-level capabilities.
  • Advanced access rules.
  • Administration UI.