🔌 API Security
Secure your WordPress REST API with key management, rate limiting, endpoint control, and CORS management. Lock down your API surface and monitor every request.
See It in Action
Explore the admin interface — click any screenshot to zoom
What This Solves
The WordPress REST API exposes user data, content, and site structure by default. Without controls, attackers can enumerate users, brute-force via API, and abuse unprotected endpoints. API Security adds key management, rate limiting, endpoint control, and XML-RPC protection.
Who This Module Is For
WooCommerce/Headless Sites with REST API Exposure
If your store or headless frontend talks to WordPress via the REST API, every unprotected endpoint is an open door. API key management and rate limiting keep that door locked.
Sites Integrating with Third-Party Services
Zapier, CRMs, payment gateways, and mobile apps all hit your API. Per-key permissions and CORS controls ensure each integration gets only the access it needs.
Developers Needing API Key Management
Generate, rotate, and revoke keys from the dashboard. Scoped permissions, expiration dates, and usage analytics give you full control over who accesses what.
Key Features
API Key Management
Create, revoke, and rotate API keys with granular permissions. Each key can be scoped to specific endpoints and HTTP methods with configurable expiration dates.
Per-Key Rate Limiting
Set individual rate limits per API key with configurable windows (requests per minute, hour, or day). Burst allowances prevent legitimate traffic spikes from being blocked.
Endpoint Whitelist / Blacklist
Control which REST API endpoints are accessible. Whitelist mode exposes only the endpoints you explicitly allow. Blacklist mode blocks specific endpoints while leaving the rest open.
User Enumeration Prevention
Block /wp-json/wp/v2/users and ?author=N enumeration attempts that attackers use to discover valid usernames before launching brute force attacks.
XML-RPC Disable
Completely disable XML-RPC or restrict it to specific IP addresses. XML-RPC is a legacy protocol frequently abused for brute force amplification and DDoS attacks.
CORS Origin Management
Define allowed origins for cross-origin API requests. Set per-origin rules for methods, headers, and credentials. Prevent unauthorized domains from accessing your API endpoints.
API Request Logging & Analytics
Full request log with endpoint, method, response code, response time, API key used, and client IP. Analytics dashboard shows request volume trends, top endpoints, and error rates.
How It Works
API Security intercepts every REST API and XML-RPC request at the rest_pre_dispatch and xmlrpc_methods hooks. Requests are validated against your configured rules before reaching the endpoint handler, ensuring unauthorized or abusive requests are blocked early.
Request Validation Pipeline
Each incoming API request passes through a multi-layer validation chain:
- Authentication — verify the API key is valid, not expired, and not revoked. Keys are matched via the
X-VS-API-Keyheader orvs_api_keyquery parameter - Authorization — check that the key has permission to access the requested endpoint and HTTP method
- Rate Limiting — verify the key has not exceeded its configured rate limit for the current time window using a sliding window algorithm
- CORS Validation — for cross-origin requests, verify the
Originheader against the allowed origins list and set appropriate response headers - Endpoint Access — check the endpoint against the whitelist or blacklist depending on the configured mode
If any validation step fails, the request is rejected with an appropriate HTTP status code and the event is logged.
API Key Lifecycle
API keys follow a complete lifecycle from creation to expiration:
- Generate keys with a descriptive label and optional expiration date
- Assign endpoint-level permissions (read, write, or both)
- Set per-key rate limits independent of global limits
- Monitor usage statistics per key (total requests, last used, error rate)
- Rotate keys with a configurable overlap period for zero-downtime transitions
- Revoke keys immediately when compromised
Keys are stored as salted SHA-256 hashes in the database. The full key is shown only once at creation time and cannot be retrieved afterward.
XML-RPC Protection
XML-RPC (xmlrpc.php) is a legacy WordPress API that supports the system.multicall method, allowing attackers to test hundreds of username/password combinations in a single HTTP request. API Security can disable XML-RPC entirely, or restrict access to specific IP addresses for legitimate use cases like the WordPress mobile app or Jetpack.
When XML-RPC is disabled, the plugin returns a proper 403 Forbidden response and removes the X-Pingback header and RSD link from the HTML source to prevent discovery of the endpoint.
Why Upgrade API Security to Pro
Free locks down your REST API. Pro adds extended request history for investigating API abuse patterns, PDF reports documenting API usage and security events for stakeholders, and priority support for complex integration environments like headless WordPress and WooCommerce. See this data in your cloud dashboard — alongside all your other sites.
Free vs Pro
Free locks down your REST API. Pro adds longer request history for abuse investigation, PDF reports, and priority support for integration-heavy sites.
| Feature | Free | Pro |
|---|---|---|
| API key management | ✓ | ✓ |
| Rate limiting | ✓ | ✓ Advanced |
| Endpoint control | ✓ | ✓ |
| XML-RPC protection | ✓ | ✓ |
| API request log history | 7 days | Up to 10 years |
| PDF API reports | ✗ | ✓ |
| Priority support | Community | 24h email |
| €0 forever | €79 /year (10 sites) — €6.50/mo | |
| Included Free | Start Free Trial No credit card required |
All Pro features included in the Pro plan at €79/year (10 sites). Managing client sites? See Agency plan →
Ready to Lock Down Your API?
Install API Security from the WordPress plugin directory and take control of your REST API in minutes.
Get Started Free See All Plans →