WordPress Plugin

🔌 API Security

Secure your WordPress REST API with key management, rate limiting, endpoint control, and CORS management. Lock down your API surface and monitor every request.

Download Free Documentation

Key Features

🔑

API Key Management

Create, revoke, and rotate API keys with granular permissions. Each key can be scoped to specific endpoints and HTTP methods with configurable expiration dates.

Per-Key Rate Limiting

Set individual rate limits per API key with configurable windows (requests per minute, hour, or day). Burst allowances prevent legitimate traffic spikes from being blocked.

🚫

Endpoint Whitelist / Blacklist

Control which REST API endpoints are accessible. Whitelist mode exposes only the endpoints you explicitly allow. Blacklist mode blocks specific endpoints while leaving the rest open.

👥

User Enumeration Prevention

Block /wp-json/wp/v2/users and ?author=N enumeration attempts that attackers use to discover valid usernames before launching brute force attacks.

🛇

XML-RPC Disable

Completely disable XML-RPC or restrict it to specific IP addresses. XML-RPC is a legacy protocol frequently abused for brute force amplification and DDoS attacks.

🌐

CORS Origin Management

Define allowed origins for cross-origin API requests. Set per-origin rules for methods, headers, and credentials. Prevent unauthorized domains from accessing your API endpoints.

📊

API Request Logging & Analytics

Full request log with endpoint, method, response code, response time, API key used, and client IP. Analytics dashboard shows request volume trends, top endpoints, and error rates.

How It Works

API Security intercepts every REST API and XML-RPC request at the rest_pre_dispatch and xmlrpc_methods hooks. Requests are validated against your configured rules before reaching the endpoint handler, ensuring unauthorized or abusive requests are blocked early.

Request Validation Pipeline

Each incoming API request passes through a multi-layer validation chain:

  • Authentication — verify the API key is valid, not expired, and not revoked. Keys are matched via the X-VS-API-Key header or vs_api_key query parameter
  • Authorization — check that the key has permission to access the requested endpoint and HTTP method
  • Rate Limiting — verify the key has not exceeded its configured rate limit for the current time window using a sliding window algorithm
  • CORS Validation — for cross-origin requests, verify the Origin header against the allowed origins list and set appropriate response headers
  • Endpoint Access — check the endpoint against the whitelist or blacklist depending on the configured mode

If any validation step fails, the request is rejected with an appropriate HTTP status code and the event is logged.

API Key Lifecycle

API keys follow a complete lifecycle from creation to expiration:

  • Generate keys with a descriptive label and optional expiration date
  • Assign endpoint-level permissions (read, write, or both)
  • Set per-key rate limits independent of global limits
  • Monitor usage statistics per key (total requests, last used, error rate)
  • Rotate keys with a configurable overlap period for zero-downtime transitions
  • Revoke keys immediately when compromised

Keys are stored as salted SHA-256 hashes in the database. The full key is shown only once at creation time and cannot be retrieved afterward.

XML-RPC Protection

XML-RPC (xmlrpc.php) is a legacy WordPress API that supports the system.multicall method, allowing attackers to test hundreds of username/password combinations in a single HTTP request. API Security can disable XML-RPC entirely, or restrict access to specific IP addresses for legitimate use cases like the WordPress mobile app or Jetpack.

When XML-RPC is disabled, the plugin returns a proper 403 Forbidden response and removes the X-Pingback header and RSD link from the HTML source to prevent discovery of the endpoint.

Screenshots

API dashboard — request volume, top endpoints, and error rate overview

API dashboard — request volume, top endpoints, and error rate overview

API key management with permissions and rate limits

API key management with permissions and rate limits

Endpoint whitelist and blacklist configuration

Endpoint whitelist and blacklist configuration

CORS origin management and XML-RPC settings

CORS origin management and XML-RPC settings

API request log with filtering and export

API request log with filtering and export

Free vs Pro

Get more with VistoShield Pro Bundle

Feature Free Pro Bundle
API Keys5 keysUnlimited
Rate LimitingGlobal onlyPer-key + global
Request Log History7 daysUp to 10 years
SupportCommunityPriority 24h
UpdatesStandardPriority + Early Access
⬇ Download Free 🛒 Buy Pro — €19/yr 🛒 Buy Bundle — €49/yr

Ready to Lock Down Your API?

Install API Security from the WordPress plugin directory and take control of your REST API in minutes.

Get Started Free