Why FlexOrder needs the REST API
FlexOrder connects your Google Sheet to your WordPress site through the REST API. Without it, the stock won’t sync.
Endpoints FlexOrder needs: #
/wp-json/osgsw/v1/update (GET, POST)
/wp-json/osgsw/v1/action (GET, POST)
/wp-json/osgsw/v1/columns (POST)
/wp-json/osgsw/v1/search-products (GET, POST)
wp-json/osgsw/v1/payment-methods (GET, POST)
/wp-json/osgsw/v1/create-order (POST)
/wp-json/osgsw/v1/plugin-status (GET, POST)
You can also use a wildcard like /wp-json/osgsw/* (GET, POST).Goal: Keep the REST API closed for everyone except the exact FlexOrder endpoints (and keep it open for logged‑in admins to avoid breaking the editor or other plugins).
Sounds too technical? Contact your hosting provider.
Your hosting provider will handle everything on their end. You won’t need to do anything else. Paste the message below.
Template message to host/CDN support:
The “FlexOrder” plugin installed on my WordPress site [put your site name and address here] relies on specific REST API endpoints to sync data. Please whitelist requests to /wp-json/osgsw/* for both GET and POST methods. All other REST API endpoints can remain blocked.
If you’re technically inclined and enjoy troubleshooting? Just follow the instructions below. You can handle these steps yourself without needing to contact your hosting provider.
Option A (recommended): Allowlist only FlexOrder for visitors, allow full REST for logged‑in admins
1) Install a tiny “must‑use” plugin (can’t be deactivated by mistake)
- On your server, create the folder if it doesn’t exist:
- /wp-content/mu-plugins/
- Create a file:
- /wp-content/mu-plugins/flexorder-rest-allowlist.php
- Paste this code and save:
<?php
/**
* Plugin Name: FlexOrder REST Allowlist
* Description: Blocks REST API for visitors except FlexOrder endpoints. Logged-in users keep full access.
*/
// 1) Hard-hide all non-allowed endpoints from visitors (defense-in-depth)
add_filter('rest_endpoints', function ($endpoints) {
if ( is_user_logged_in() ) {
return $endpoints; // full REST for admins/editors
}
// Exact endpoint keys as registered by WP.
$allowed = [
'/osgsw/v1', // namespace root
'/osgsw/v1/update',
'/osgsw/v1/action',
'/osgsw/v1/columns',
];
// Keep only allowed endpoints for visitors
return array_intersect_key($endpoints, array_flip($allowed));
});
// 2) Runtime guard: block any non-allowed route that slips through
add_filter('rest_authentication_errors', function ($result, $request) {
if ( is_wp_error($result) ) return $result; // honor existing failures
if ( is_user_logged_in() ) return $result; // allow admins/editors
$route = $request->get_route(); // e.g. "/osgsw/v1/update"
$allow_prefixes = [
'/osgsw/v1', // covers /update and /action
];
foreach ($allow_prefixes as $prefix) {
if ( strpos($route, $prefix) === 0 ) {
return $result; // allowed
}
}
return new WP_Error(
'rest_forbidden',
__('REST API is restricted on this site.', 'flexorder'),
['status' => 403]
);
}, 10, 2);What this does #
- Visitors (not logged in) can call only osgsw endpoints. Everything else returns 403 and is hidden from /wp-json/.
- Logged‑in users: keep full REST (so Gutenberg, WooCommerce dashboards, etc. continue working).
If your site uses a full static cache/CDN, purge cache after adding the file.
Option B (strict): Allow only FlexOrder for everyone (even admins) #
Use only if you’re sure your site/editor/plugins don’t need REST.
Replace the second filter above with this stricter version:
add_filter('rest_authentication_errors', function ($result, $request) {
if ( is_wp_error($result) ) return $result;
$route = $request->get_route();
if ( strpos($route, '/osgsw/v1') === 0 ) {
return $result; // only FlexOrder routes allowed
}
return new WP_Error('rest_forbidden', __('REST API is restricted on this site.', 'flexorder'), ['status' => 403]);
}, 10, 2);Firewall / Security Plugin Settings
Even with the allowlist code, your host/CDN/WAF may still block requests to /wp-json/. Whitelist only the Flexorder paths:
Cloudflare (WAF)
- Security → WAF → Custom Rules
- Allow path that starts with /wp-json/osgsw/
- If requests still fail, temporarily disable Bot Fight Mode and test.
Wordfence
- Firewall → Manage WAF → Whitelist URLs
- Add /wp-json/osgsw/* for both GET and POST
iThemes Security
- Security Tweaks → REST API Access
- If REST is restricted, add the namespace osgsw to the allowlist.
All In One WP Security
- WP REST API
- Do not disable globally. If restricted, add /wp-json/osgsw/* to the allowlist.
Sucuri / Host Firewalls
- Ask support to whitelist:
- /wp-json/osgsw/v1/update (GET, POST)
- /wp-json/osgsw/v1/action (GET, POST)
- /wp-json/osgsw/v1/columns (POST)
- /wp-json/osgsw/v1/search-products (GET, POST)
- wp-json/osgsw/v1/payment-methods (GET, POST)
- /wp-json/osgsw/v1/create-order (POST)
- /wp-json/osgsw/v1/plugin-status (GET, POST)
- Namespace base /wp-json/osgsw/* (GET, POST)
Test
- Visit your site’s REST root: https://example.com/wp-json/
- As a logged‑out user, you should not see general endpoints listed (403 or minimal output).
- Visit FlexOrder namespace: https://example.com/wp-json/osgsw/v1
- Should load (may show a routes list or minimal JSON).
- Run FlexOrder sync from Google Sheets.
- If it fails, check WAF/CDN logs for blocked requests to /wp-json/osgsw/*.
Troubleshooting
- Gutenberg or other plugins broke?
- Use Option A (recommended). It keeps full REST for logged‑in users only.
- Still getting 403/401?
- Purge all caches (server + CDN).
- Confirm your security plugin and host WAF rules allow /wp-json/osgsw/*.
- Check if your site blocks OPTIONS preflight. Most hosts don’t, but if they do, ask them to allow OPTIONS for /wp-json/osgsw/*.
Tip: By only whitelisting the FlexOrder API endpoints, you keep your site secure while ensuring FlexOrder’s sync functions flawlessly.
