Features & Usage

calendar_month Last updated: May 25, 2026

Which endpoints are safe to disable?

Generally safe to disable:

  • Endpoints from plugins you have deactivated or don’t use
  • /wp/v2/users if you don’t have public user profiles
  • /wp/v2/comments if comments are disabled on your site
  • /wp/v2/media if you don’t allow public file uploads

Do not disable:

  • Endpoints used by your theme or page builder (Elementor, Gutenberg)
  • WooCommerce endpoints if you run an online store
  • Any endpoint showing recent activity in your security logs

When in doubt, leave it enabled. Use the Preview feature to check what an endpoint returns before deciding.

Endpoint preview

Every plan includes an endpoint preview button on each route row. Clicking it opens an inline modal that fetches the live REST API response and displays the prettified JSON without leaving the admin. Use it to inspect what an endpoint returns before deciding whether to disable it.

The Pro version adds an interactive preview modal for dynamic endpoints. Instead of manually constructing parameterized URLs, the modal auto-fills parameter fields with smart defaults pulled from your actual content (for example, a real post ID). Adjust the values and preview the live response instantly.

Search and filters

All plans include multi-criteria filtering to help you find endpoints quickly:

  • Search — Find endpoints by name with the keyboard shortcut (Ctrl/Cmd+F) and result highlighting
  • Filter by status — Show only enabled or disabled endpoints
  • Filter by type — Show only static or dynamic endpoints
  • Filter by method — Show only endpoints that accept a specific HTTP method
  • Filter by namespace — View only endpoints from a specific plugin (e.g. wc/v3 for WooCommerce)

Combine filters with search to quickly locate specific endpoints in large API implementations.

Security logging

Every blocked request is automatically logged with:

  • IP address — Who made the request
  • Endpoint — Which disabled endpoint was targeted
  • User agent — What tool or browser was used
  • Timestamp — When the attempt occurred

Logs are viewable in the WordPress admin and automatically cleaned up after 30 days via WP-Cron. You can also clear logs manually. Security logging is available on all plans.

Log filters

The security logs screen includes filter controls to narrow down log entries:

  • Search — Free-text search across all log fields
  • Filter by IP — Dropdown populated with all unique IPs from your logs
  • Filter by endpoint — Dropdown populated with all unique endpoints from your logs
  • Date range — From/to date pickers to scope logs to a specific time period
  • Results count — Live count of matching entries as you filter

All filters are client-side for instant results. Combine multiple filters to isolate specific activity patterns.

Rate limiting (Pro)

Set request limits to prevent your REST API from being hammered by bots or abusive clients:

  • Global rate limit — A single threshold applied to all endpoints
  • Per-endpoint overrides — Set a tighter limit on sensitive routes (e.g. /wp/v2/users)
  • Auto-block — Automatically add IPs that exceed thresholds to the Block List

Requests that exceed the limit receive a 429 Too Many Requests response with a configurable message.

IP Block List (Pro)

Manage which IP addresses can access your REST API:

  • Manual blocking — Add any IP address with an optional note
  • Auto-block — IPs that trigger rate limits are added automatically
  • Allowlist — Trusted IPs that bypass all blocking rules
  • Block from logs — One-click block directly from a Security Log entry
  • Unblock anytime — Remove an IP from the Block List at any time

Shared IPs and auto-block (Pro)

Auto-block works at the IP level. If multiple users share the same public IP address, common in corporate offices, universities, or shared hosting environments, triggering a rate limit will block all of them, not just the abusive client.

To avoid this:

  • Add trusted networks to the Allowlist before enabling auto-block. Allowlisted IPs bypass all blocking rules regardless of request volume.
  • Set thresholds conservatively. Normal browsing or endpoint testing from a shared office network should not approach your rate limit. If it does, raise the threshold or switch to per-endpoint limits for sensitive routes only.
  • Review auto-blocks promptly. The Block List screen shows every blocked IP with the timestamp it was added. If a legitimate IP was caught, remove it immediately. Unblocking is instant.

CSV export (Pro)

Export your security logs to CSV for audits, compliance reports, or client reporting:

  1. Go to Endpoint Manager → Logs
  2. Select a date range (optional)
  3. Click Export to CSV

Compatibility

Endpoint Manager works with all plugins that register REST API endpoints, including WooCommerce, Yoast SEO, Gravity Forms, WPForms, Jetpack, BuddyPress, LearnDash, MemberPress, and more.

It is also fully compatible with:

  • Caching plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache, Cloudflare) — clear your cache after enabling or disabling endpoints
  • WordPress Block Editor (Gutenberg) — avoid disabling core endpoints Gutenberg relies on (/wp/v2/posts, /wp/v2/pages, /wp/v2/blocks, /wp/v2/media)
  • Headless WordPress — expose only the endpoints your frontend needs
  • REST API authentication — Endpoint Manager controls which endpoints are accessible, not who can access them. It works alongside Application Passwords, OAuth, or any authentication method.

Still need help?

Contact support or visit the product page.