WP REST Cop
Manage access to the WP REST API with rate limits and IP-based rules., (*1)
Contributors: Brady Vercher
Requires: WP 4.0+, PHP 5.4+
Tested up to: 4.4
License: GPL-2.0+, (*2)
Rate Limits
Rate limits allow for configuring the number of requests a client can make within a certain interval. The default in WP Rest Cop is 500 requests per hour., (*3)
The rate limit functionality requires a persistent object cache., (*4)
A few headers are sent with every request so clients can keep track of their current limit:, (*5)
| Header |
Description |
X-RateLimit-Limit |
Requests allowed per interval. |
X-RateLimit-Remaining |
Remaining requests allowed in the current interval. |
X-RateLimit-Reset |
Seconds until the limit is reset. |
If client has reached their limit, an additional header will be sent., (*6)
| Header |
Description |
Retry-After |
Seconds until the limit is reset |
Clients may send a HEAD request to view their current limit without ticking the meter., (*7)
Configuring Settings
Configure the default limit and interval settings using the simple API from the main plugin instance:, (*8)
<?php
/**
* Set the rate limit to 10 requests every 5 minutes.
*/
add_action( 'rest_api_init', function( $wprestcop ) {
$wprestcop
->set_limit( 10 )
->set_interval( 5 * MINUTE_IN_SECONDS );
} );
Settings can also be configured with the built-in WP CLI commands., (*9)
Disable Rate Limiting
If you just want the IP rules functionality and want to disable the rate limits, set the interval to -1., (*10)
IP Rules
IP rules can be configured globally, or at the route level as a simple whitelist or blacklist., (*11)
Global Configuration
<?php
/**
* Global IP rules configuration.
*/
add_action( 'rest_api_init', function( $wprestcop ) {
$wprestcop->get_ip_rules()
->allow( '192.168.50.4' ); // Also accepts an array of IP addresses.
// Or...
$wprestcop->get_ip_rules()
->deny( '66.249.66.1' ); // Also accepts an array of IP addresses.
} );
When allowing an IP address, the policy is to deny any requests from IPs not
in the whitelist., (*12)
The opposite is true when denying IP addresses. All IPs not in the blacklist
will have access., (*13)
Global IP rules can also be configured with the built-in WP CLI commands., (*14)
Route Configuration
Routes may also be configured with their own IP rules:, (*15)
<?php
/**
* Register routes.
*/
add_action( 'rest_api_init', function () {
register_rest_route( 'myplugin/v1', '/internal/(?P<id>\d+)', [
'methods' => 'GET',
'callback' => 'my_awesome_expensive_func',
'ips' => [
'allow' => [ '192.168.50.4' ],
'deny' => [ '66.249.66.1' ],
]
] );
} );
WP CLI Commands
A few WP CLI commands are included to configure the plugin without requiring code., (*16)
| Command |
Description |
wp restcop allow <ip>... |
Whitelist one or more IPs. |
wp restcop check <ip> |
Check whether an IP has access. |
wp restcop deny <ip>... |
Blacklist one or more IPs. |
wp restcop set <key> <value> |
Update a setting value. |
wp restcop status |
View global IP rules. |
Potential Roadmap
- Support for logging various events.
- Additional rate limit strategies.
- More route-level capabilities.
- Advanced access rules.
- Administration UI.
Wallogit.com
