API Security
Protect your WordPress REST API and XML-RPC endpoints with API key authentication, rate limiting, endpoint control, user enumeration prevention, and detailed request logging.
Overview
The VistoShield API Security plugin provides a comprehensive security layer for your WordPress API surface. It covers the REST API, XML-RPC, and AJAX endpoints, giving you full control over who can access your API and how frequently.
Key capabilities include:
- API key creation, rotation, and revocation with per-key permissions
- Header-based authentication using
X-VS-API-Key - Configurable rate limiting per key, per IP, or per endpoint
- Endpoint whitelisting and blacklisting
- User enumeration prevention on REST API and author archives
- XML-RPC fine-grained control (disable entirely or restrict specific methods)
- CORS configuration for cross-origin API access
- Full API request logging with filtering and export
Installation & Activation
- Upload the
vistoshield-api-securityfolder towp-content/plugins/ - Navigate to Plugins → Installed Plugins in your WordPress admin
- Click Activate next to VistoShield API Security
- Go to VistoShield → API Security to begin configuration
API Key Management
Manage API keys from VistoShield → API Security → Keys. Each key has the following properties:
| Property | Description |
|---|---|
| Label | A human-readable name for identifying the key (e.g., “Mobile App”, “Monitoring Service”) |
| Key | A 64-character cryptographically random string, shown once at creation |
| Permissions | Read-only, Read-Write, or Full Access (includes user management endpoints) |
| Allowed IPs | Optional list of IP addresses or CIDR ranges permitted to use this key |
| Expiration | Optional expiry date after which the key is automatically deactivated |
| Rate Limit | Maximum requests per minute for this specific key (overrides global limit) |
Keys can be rotated (generates a new key string while preserving all settings) or revoked (immediately deactivated with all permissions removed).
Authentication
When enforcement is enabled, all REST API requests (except those to whitelisted endpoints) must include a valid API key in the X-VS-API-Key HTTP header:
curl -H "X-VS-API-Key: your-api-key-here" https://example.com/wp-json/wp/v2/postsAuthentication modes:
| Mode | Behavior |
|---|---|
| Disabled | No API key required. Standard WordPress authentication (cookie/nonce) still applies. |
| Monitor | Logs requests without valid keys but does not block them. |
| Enforce | Rejects unauthenticated API requests with a 401 Unauthorized response. |
Rate Limiting
Configure rate limits from VistoShield → API Security → Rate Limiting:
| Setting | Default | Description |
|---|---|---|
| Global Rate Limit | 60 req/min | Maximum requests per minute across all unauthenticated requests per IP |
| Authenticated Rate Limit | 120 req/min | Maximum requests per minute for requests with a valid API key |
| Burst Allowance | 10 | Number of extra requests allowed in a short burst before rate limiting kicks in |
| Lockout Duration | 60 seconds | How long an IP/key is blocked after exceeding the rate limit |
Rate-limited responses return 429 Too Many Requests with a Retry-After header indicating when the client can retry.
Endpoint Control
Fine-tune which endpoints are accessible from VistoShield → API Security → Endpoints:
- Whitelist — Endpoints that never require API key authentication (e.g., public content endpoints)
- Blacklist — Endpoints that are completely disabled and return
403 Forbidden
Endpoint patterns support wildcards. For example, /wp/v2/users/* matches all user-related endpoints.
User Enumeration Prevention
Prevents attackers from discovering valid usernames through:
- REST API — Blocks unauthenticated access to
/wp/v2/usersand user-specific endpoints - Author Archives — Blocks
?author=Nenumeration scans - Login Error Messages — Replaces specific error messages with a generic “Invalid credentials” response
- oEmbed — Removes author name from oEmbed discovery responses
XML-RPC Settings
Control XML-RPC access from the XML-RPC tab:
| Option | Description |
|---|---|
| Disable Completely | Blocks all requests to xmlrpc.php with a 403 response |
| Disable Pingbacks Only | Removes the pingback.ping method while keeping other methods active |
| Allowed Methods | Whitelist of specific XML-RPC methods that remain accessible |
| Allowed IPs | Restrict XML-RPC access to specific IP addresses or ranges |
CORS Configuration
Manage Cross-Origin Resource Sharing headers from VistoShield → API Security → CORS:
| Setting | Default | Description |
|---|---|---|
| Allowed Origins | Same origin only | List of domains permitted to make cross-origin API requests |
| Allowed Methods | GET, POST | HTTP methods permitted in cross-origin requests |
| Allowed Headers | Content-Type, X-VS-API-Key | Request headers permitted in cross-origin requests |
| Max Age | 3600 | Seconds that preflight responses can be cached by the browser |
* permits any domain to make API requests to your site. Only use this for fully public APIs with no sensitive data.
API Request Logging
All API requests are logged in VistoShield → API Security → Logs with the following details:
- Timestamp, source IP, and geolocation
- HTTP method, endpoint URI, and response status code
- API key used (if any) and associated label
- Response time in milliseconds
- Whether the request was blocked and the reason
Logs can be filtered by date range, status code, API key, or IP address, and exported as CSV for external analysis.
FAQ
Will this break my site’s Gutenberg editor?
No. The Gutenberg editor uses authenticated REST API calls with WordPress nonce cookies. These requests are handled separately from external API key authentication and are not affected by enforcement mode.
Can I use multiple API keys for the same application?
Yes. You can create as many keys as needed. This is useful for key rotation, where you create a new key, update your application, then revoke the old key.
How are rate limits tracked?
Rate limits use a sliding window algorithm stored in the WordPress object cache (or transients if no persistent cache is available). For high-traffic sites, a persistent object cache like Redis is recommended.
Does disabling XML-RPC affect the Jetpack plugin?
Jetpack requires XML-RPC for some features. If you use Jetpack, choose the “Disable Pingbacks Only” option instead of disabling XML-RPC completely, and add Automattic’s IP ranges to the Allowed IPs list.