Features & Usage
Which endpoints are safe to disable?
Generally safe to disable:
- Endpoints from plugins you have deactivated or don’t use
/wp/v2/usersif you don’t have public user profiles/wp/v2/commentsif comments are disabled on your site/wp/v2/mediaif you don’t allow public file uploads
Do not disable:
- Endpoints used by your theme or page builder (Elementor, Gutenberg)
- WooCommerce endpoints if you run an online store
- Any endpoint showing recent activity in your security logs
When in doubt, leave it enabled. Use the Preview feature to check what an endpoint returns before deciding.
Endpoint preview
Every plan includes an endpoint preview button on each route row. Clicking it opens an inline modal that fetches the live REST API response and displays the prettified JSON without leaving the admin. Use it to inspect what an endpoint returns before deciding whether to disable it.
The Pro version adds an interactive preview modal for dynamic endpoints. Instead of manually constructing parameterized URLs, the modal auto-fills parameter fields with smart defaults pulled from your actual content (for example, a real post ID). Adjust the values and preview the live response instantly.
Search and filters
All plans include multi-criteria filtering to help you find endpoints quickly:
- Search — Find endpoints by name with the keyboard shortcut (Ctrl/Cmd+F) and result highlighting
- Filter by status — Show only enabled or disabled endpoints
- Filter by type — Show only static or dynamic endpoints
- Filter by method — Show only endpoints that accept a specific HTTP method
- Filter by namespace — View only endpoints from a specific plugin (e.g.
wc/v3for WooCommerce)
Combine filters with search to quickly locate specific endpoints in large API implementations.
Security logging
Every blocked request is automatically logged with:
- IP address — Who made the request
- Endpoint — Which disabled endpoint was targeted
- User agent — What tool or browser was used
- Timestamp — When the attempt occurred
Logs are viewable in the WordPress admin and automatically cleaned up after 30 days via WP-Cron. You can also clear logs manually. Security logging is available on all plans.
Log filters
The security logs screen includes filter controls to narrow down log entries:
- Search — Free-text search across all log fields
- Filter by IP — Dropdown populated with all unique IPs from your logs
- Filter by endpoint — Dropdown populated with all unique endpoints from your logs
- Date range — From/to date pickers to scope logs to a specific time period
- Results count — Live count of matching entries as you filter
All filters are client-side for instant results. Combine multiple filters to isolate specific activity patterns.
Rate limiting (Pro)
Set request limits to prevent your REST API from being hammered by bots or abusive clients:
- Global rate limit — A single threshold applied to all endpoints
- Per-endpoint overrides — Set a tighter limit on sensitive routes (e.g.
/wp/v2/users) - Auto-block — Automatically add IPs that exceed thresholds to the Block List
Requests that exceed the limit receive a 429 Too Many Requests response with a configurable message.
IP Block List (Pro)
Manage which IP addresses can access your REST API:
- Manual blocking — Add any IP address with an optional note
- Auto-block — IPs that trigger rate limits are added automatically
- Allowlist — Trusted IPs that bypass all blocking rules
- Block from logs — One-click block directly from a Security Log entry
- Unblock anytime — Remove an IP from the Block List at any time
CSV export (Pro)
Export your security logs to CSV for audits, compliance reports, or client reporting:
- Go to Endpoint Manager → Logs
- Select a date range (optional)
- Click Export to CSV
Compatibility
Endpoint Manager works with all plugins that register REST API endpoints, including WooCommerce, Yoast SEO, Gravity Forms, WPForms, Jetpack, BuddyPress, LearnDash, MemberPress, and more.
It is also fully compatible with:
- Caching plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache, Cloudflare) — clear your cache after enabling or disabling endpoints
- WordPress Block Editor (Gutenberg) — avoid disabling core endpoints Gutenberg relies on (
/wp/v2/posts,/wp/v2/pages,/wp/v2/blocks,/wp/v2/media) - Headless WordPress — expose only the endpoints your frontend needs
- REST API authentication — Endpoint Manager controls which endpoints are accessible, not who can access them. It works alongside Application Passwords, OAuth, or any authentication method.
Still need help?
Contact support or visit the product page.