The is_protected_endpoint WordPress PHP Filter allows you to protect additional custom endpoints that are not already protected by WordPress core.
Usage
add_filter('is_protected_endpoint', 'my_custom_protected_endpoint', 10, 1);
function my_custom_protected_endpoint($is_protected_endpoint) {
// your custom code here
return $is_protected_endpoint;
}
Parameters
- $is_protected_endpoint (bool): Determines if the current endpoint is protected. Default is false.
More information
See WordPress Developer Resources: is_protected_endpoint
Examples
Protect a custom endpoint
In this example, we protect a custom REST API endpoint named my-custom-endpoint.
add_filter('is_protected_endpoint', 'protect_my_custom_endpoint', 10, 1);
function protect_my_custom_endpoint($is_protected_endpoint) {
// Check if the requested endpoint is 'my-custom-endpoint'
if (strpos($_SERVER['REQUEST_URI'], 'my-custom-endpoint') !== false) {
return true;
}
return $is_protected_endpoint;
}
Protect multiple custom endpoints
In this example, we protect multiple custom REST API endpoints using an array of endpoint names.
add_filter('is_protected_endpoint', 'protect_multiple_custom_endpoints', 10, 1);
function protect_multiple_custom_endpoints($is_protected_endpoint) {
$protected_endpoints = ['custom-endpoint-1', 'custom-endpoint-2'];
foreach ($protected_endpoints as $endpoint) {
if (strpos($_SERVER['REQUEST_URI'], $endpoint) !== false) {
return true;
}
}
return $is_protected_endpoint;
}
Protect endpoints based on user role
In this example, we protect a custom endpoint named restricted-endpoint for users who are not administrators.
add_filter('is_protected_endpoint', 'protect_endpoint_based_on_user_role', 10, 1);
function protect_endpoint_based_on_user_role($is_protected_endpoint) {
if (strpos($_SERVER['REQUEST_URI'], 'restricted-endpoint') !== false) {
if (!current_user_can('administrator')) {
return true;
}
}
return $is_protected_endpoint;
}
Protect endpoints using custom function
In this example, we protect a custom endpoint named sensitive-data using a custom function is_sensitive_data_protected().
add_filter('is_protected_endpoint', 'protect_sensitive_data_endpoint', 10, 1);
function protect_sensitive_data_endpoint($is_protected_endpoint) {
if (strpos($_SERVER['REQUEST_URI'], 'sensitive-data') !== false) {
return is_sensitive_data_protected();
}
return $is_protected_endpoint;
}
Protect endpoints based on query parameter
In this example, we protect a custom endpoint named custom-query-endpoint when the query parameter secret_key has a specific value.
add_filter('is_protected_endpoint', 'protect_endpoint_based_on_query_param', 10, 1);
function protect_endpoint_based_on_query_param($is_protected_endpoint) {
if (strpos($_SERVER['REQUEST_URI'], 'custom-query-endpoint') !== false) {
$secret_key = isset($_GET['secret_key']) ? $_GET['secret_key'] : '';
if ($secret_key !== 'my_secret_key') {
return true;
}
}
return $is_protected_endpoint;
}