Using WordPress ‘is_protected_endpoint’ PHP filter

The is_protected_endpoint WordPress PHP Filter allows you to protect additional custom endpoints that are not already protected by WordPress core.

Usage

add_filter('is_protected_endpoint', 'my_custom_protected_endpoint', 10, 1);

function my_custom_protected_endpoint($is_protected_endpoint) {
    // your custom code here

    return $is_protected_endpoint;
}

Parameters

  • $is_protected_endpoint (bool): Determines if the current endpoint is protected. Default is false.

More information

See WordPress Developer Resources: is_protected_endpoint

Examples

Protect a custom endpoint

In this example, we protect a custom REST API endpoint named my-custom-endpoint.

add_filter('is_protected_endpoint', 'protect_my_custom_endpoint', 10, 1);

function protect_my_custom_endpoint($is_protected_endpoint) {
    // Check if the requested endpoint is 'my-custom-endpoint'
    if (strpos($_SERVER['REQUEST_URI'], 'my-custom-endpoint') !== false) {
        return true;
    }

    return $is_protected_endpoint;
}

Protect multiple custom endpoints

In this example, we protect multiple custom REST API endpoints using an array of endpoint names.

add_filter('is_protected_endpoint', 'protect_multiple_custom_endpoints', 10, 1);

function protect_multiple_custom_endpoints($is_protected_endpoint) {
    $protected_endpoints = ['custom-endpoint-1', 'custom-endpoint-2'];

    foreach ($protected_endpoints as $endpoint) {
        if (strpos($_SERVER['REQUEST_URI'], $endpoint) !== false) {
            return true;
        }
    }

    return $is_protected_endpoint;
}

Protect endpoints based on user role

In this example, we protect a custom endpoint named restricted-endpoint for users who are not administrators.

add_filter('is_protected_endpoint', 'protect_endpoint_based_on_user_role', 10, 1);

function protect_endpoint_based_on_user_role($is_protected_endpoint) {
    if (strpos($_SERVER['REQUEST_URI'], 'restricted-endpoint') !== false) {
        if (!current_user_can('administrator')) {
            return true;
        }
    }

    return $is_protected_endpoint;
}

Protect endpoints using custom function

In this example, we protect a custom endpoint named sensitive-data using a custom function is_sensitive_data_protected().

add_filter('is_protected_endpoint', 'protect_sensitive_data_endpoint', 10, 1);

function protect_sensitive_data_endpoint($is_protected_endpoint) {
    if (strpos($_SERVER['REQUEST_URI'], 'sensitive-data') !== false) {
        return is_sensitive_data_protected();
    }

    return $is_protected_endpoint;
}

Protect endpoints based on query parameter

In this example, we protect a custom endpoint named custom-query-endpoint when the query parameter secret_key has a specific value.

add_filter('is_protected_endpoint', 'protect_endpoint_based_on_query_param', 10, 1);

function protect_endpoint_based_on_query_param($is_protected_endpoint) {
    if (strpos($_SERVER['REQUEST_URI'], 'custom-query-endpoint') !== false) {
        $secret_key = isset($_GET['secret_key']) ? $_GET['secret_key'] : '';

        if ($secret_key !== 'my_secret_key') {
            return true;
        }
    }

    return $is_protected_endpoint;
}