+ Join Our Community Log In

.

View Categories

Solving the REST API Blocked Issue in Your Website.

Why FlexStock needs the REST API

FlexStock connects your Google Sheet to your WordPress site through the REST API. Without it, the stock won’t sync.

Endpoints FlexStock needs: #

  • POST /wp-json/ssgsw/v1/update
  • POST /wp-json/ssgsw/v1/action
  • POST /wp-json/ssgsw/v1/sale_update

Goal: Keep the REST API closed for everyone except the exact FlexStock endpoints (and keep it open for logged‑in admins to avoid breaking the editor or other plugins).

Sounds too technical? Contact your hosting provider.

Your hosting provider will handle everything on their end. You won’t need to do anything else. Paste the message below.

Template message to host/CDN support:

The “FlexStock” plugin installed on my WordPress site [put your site name and address here] relies on specific REST API endpoints to sync data. Please whitelist requests to /wp-json/ssgsw/* for both GET and POST methods. All other REST API endpoints can remain blocked.

If you’re technically inclined and enjoy troubleshooting? Just follow the instructions below. You can handle these steps yourself without needing to contact your hosting provider.

Option A (recommended): Allowlist only FlexStock for visitors, allow full REST for logged‑in admins

1) Install a tiny “must‑use” plugin (can’t be deactivated by mistake)

  1. On your server, create the folder if it doesn’t exist:
  2. /wp-content/mu-plugins/
  3. Create a file:
  4. /wp-content/mu-plugins/flexstock-rest-allowlist.php
  5. Paste this code and save:
<?php
/**
 * Plugin Name: FlexStock REST Allowlist
 * Description: Blocks REST API for visitors except FlexStock endpoints. Logged-in users keep full access.
 */

// 1) Hard-hide all non-allowed endpoints from visitors (defense-in-depth)
add_filter('rest_endpoints', function ($endpoints) {
    if ( is_user_logged_in() ) {
        return $endpoints; // full REST for admins/editors
    }

    // Exact endpoint keys as registered by WP.
    $allowed = [
        '/ssgsw/v1',           // namespace root
        '/ssgsw/v1/update',
        '/ssgsw/v1/action',
        '/ssgsw/v1/sale_update',
    ];

    // Keep only allowed endpoints for visitors
    return array_intersect_key($endpoints, array_flip($allowed));
});

// 2) Runtime guard: block any non-allowed route that slips through
add_filter('rest_authentication_errors', function ($result, $request) {
    if ( is_wp_error($result) ) return $result;        // honor existing failures
    if ( is_user_logged_in() ) return $result;         // allow admins/editors

    $route = $request->get_route();                    // e.g. "/ssgsw/v1/update"
    $allow_prefixes = [
        '/ssgsw/v1',                                   // covers /update and /action
    ];

    foreach ($allow_prefixes as $prefix) {
        if ( strpos($route, $prefix) === 0 ) {
            return $result; // allowed
        }
    }

    return new WP_Error(
        'rest_forbidden',
        __('REST API is restricted on this site.', 'flexstock'),
        ['status' => 403]
    );
}, 10, 2);

What this does #

  • Visitors (not logged in) can call only ssgsw endpoints. Everything else returns 403 and is hidden from /wp-json/.
  • Logged‑in users: keep full REST (so Gutenberg, WooCommerce dashboards, etc. continue working).

If your site uses a full static cache/CDN, purge cache after adding the file.

Option B (strict): Allow only FlexStock for everyone (even admins) #

Use only if you’re sure your site/editor/plugins don’t need REST.

Replace the second filter above with this stricter version:

add_filter('rest_authentication_errors', function ($result, $request) {
    if ( is_wp_error($result) ) return $result;

    $route = $request->get_route();
    if ( strpos($route, '/ssgsw/v1') === 0 ) {
        return $result; // only FlexStock routes allowed
    }

    return new WP_Error('rest_forbidden', __('REST API is restricted on this site.', 'flexstock'), ['status' => 403]);
}, 10, 2);

Firewall / Security Plugin Settings

Even with the allowlist code, your host/CDN/WAF may still block requests to /wp-json/. Whitelist only the FlexStock paths:

Cloudflare (WAF)

  • Security → WAF → Custom Rules
    • Allow path that starts with /wp-json/ssgsw/
  • If requests still fail, temporarily disable Bot Fight Mode and test.

Wordfence

  • Firewall → Manage WAF → Whitelist URLs
    • Add /wp-json/ssgsw/* for both GET and POST

iThemes Security

  • Security Tweaks → REST API Access
    • If REST is restricted, add the namespace ssgsw to the allowlist.

All In One WP Security

  • WP REST API
    • Do not disable globally. If restricted, add /wp-json/ssgsw/* to the allowlist.

Sucuri / Host Firewalls

  • Ask support to whitelist:
    • /wp-json/ssgsw/v1/update (POST)
    • /wp-json/ssgsw/v1/action (POST)
    • Namespace base /wp-json/ssgsw/*

Test

  1. Visit your site’s REST root: https://example.com/wp-json/
    • As a logged‑out user, you should not see general endpoints listed (403 or minimal output).
  2. Visit FlexStock namespace: https://example.com/wp-json/ssgsw/v1
    • Should load (may show a routes list or minimal JSON).
  3. Run FlexStock sync from Google Sheets.
    • If it fails, check WAF/CDN logs for blocked requests to /wp-json/ssgsw/*.

Troubleshooting

  • Gutenberg or other plugins broke?
  • Use Option A (recommended). It keeps full REST for logged‑in users only.
  • Still getting 403/401?
    • Purge all caches (server + CDN).
    • Confirm your security plugin and host WAF rules allow /wp-json/ssgsw/*.
    • Check if your site blocks OPTIONS preflight. Most hosts don’t, but if they do, ask them to allow OPTIONS for /wp-json/ssgsw/*.

Tip: By only whitelisting the FlexStock API endpoints, you keep your site secure while ensuring FlexStock’s sync functions flawlessly.

What are your Feelings

Leave a Reply

Your email address will not be published. Required fields are marked *