Module — User Guide

Table of Contents

The REST API Module is a security and management tool built into Advanced Analytics. It gives WordPress administrators full visibility and control over every registered REST API endpoint (/wp-json/) — including the ability to disable endpoints, restrict HTTP methods, and hide routes from discovery responses.

Who is this for?
You need the Administrator role (the manage_options capability) to access the REST API module. Other user roles will not see the menu item.

Enable / Disable the Module

The REST API module is a standalone module inside Advanced Analytics. You can enable or disable it without affecting any other part of the plugin or WordPress itself.

Navigate to Error Logs → Settings in the WordPress admin sidebar.
Click the “REST API Options” tab (or scroll to the section headed REST API Security Module).
Toggle the “Enable REST API module” checkbox.
Click Save Changes.

wp-admin/admin.php?page=advan_logs_settings#aadvana-options-tab-rest-api

Important: Disabling the module hides the REST API sub-menu from the admin and stops all endpoint enforcement. Any disabled endpoints will become accessible again while the module is turned off. Re-enabling the module restores all previously configured rules.

Endpoint List

wp-admin/admin.php?page=advan_rest_api

This is the main screen. It shows every registered REST API endpoint on your site in a sortable, filterable table. At the top, a summary bar displays:

Total endpoints — The number of REST API endpoints registered on the site.
Disabled — How many endpoints are fully disabled.
Obfuscated — How many endpoints are hidden from the REST API discovery index.

Columns

Column	Sortable	Description
Endpoint Route	Yes	The full REST API route path (e.g. `/wp/v2/posts`). If the endpoint is obfuscated, a “hidden” icon appears next to it. Row actions appear on hover beneath the route.
Methods	No	The HTTP methods supported by the endpoint, shown as colour-coded badges: GET POST PUT / PATCH DELETE OPTIONS / HEAD. Disabled methods are shown with a strikethrough.
Namespace	Yes	The namespace of the endpoint (e.g. `wp/v2`, `wc/v3`).
In Index	No	Whether the endpoint appears in the REST API discovery response (`/wp-json/`). Shows a green checkmark or red X.
Public	No	Access level: Public (no authentication required — shown in orange with a warning icon) or Protected (authentication required — shown in green with a lock icon).
Status	Yes	The current enforcement state: Active (green) — Endpoint is fully accessible. Disabled (red) — All requests return 403 Forbidden. Partial (orange) — Some HTTP methods are disabled.

Filtering & Searching

Use the search box in the top-right corner of the list page. It searches by endpoint route and namespace.

Type part of a route or namespace and press Enter or click Search Endpoints.
The search is case-insensitive and matches partial text.
To clear the search, empty the box and press Enter.

Use the dropdown menus above the table then click Filter:

Namespace Filter

Default: “All Namespaces”
Lists every unique namespace registered on the site (e.g. wp/v2, wc/v3, jetpack/v4).
Narrows the table to only endpoints in the selected namespace.

Method Filter

Default: “All Methods”
Options: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD.
Shows only endpoints that support the selected HTTP method.

Status Filter

Default: “All Statuses”
Options: Active, Disabled.
Narrows the table to endpoints matching the selected status.

Access Filter

Default: “All Access”
Options: Public, Protected.
Public endpoints have no authentication requirement. Protected endpoints require authentication.

Tip: You can combine multiple filters. For example, filter by namespace wp/v2 and status Active to see only active WordPress core endpoints.

Single Endpoint Actions

Hover over any endpoint row to reveal these actions below the route:

Action	Description
Edit	Opens the endpoint configuration page where you can disable the endpoint, restrict methods, or enable obfuscation.
Enable / Disable	Quick toggle — instantly enables or disables the entire endpoint without opening the edit page.

Editing an Endpoint

Click Edit on any row to open the endpoint configuration page.

wp-admin/admin.php?page=advan_rest_api&action=edit_route&route_hash={hash}

The edit page displays the endpoint’s route and namespace at the top, followed by three configuration options:

Field	Type	Description
Disable Endpoint Entirely	Checkbox	When checked, all requests to this endpoint will receive a `403 Forbidden` response regardless of the HTTP method used.
Disable Specific Methods	Checkboxes (per method)	Check individual HTTP methods to disable. Only the checked methods will return `403 Forbidden`; unchecked methods remain accessible. The available methods depend on what the endpoint supports.
Obfuscate Endpoint	Checkbox	When checked, the endpoint is hidden from the REST API index response (`/wp-json/`) and namespace index responses. The endpoint still works — it is just not discoverable.

Click Save Changes to apply the rules, or use the “← Back to REST API Endpoints” link to return to the list without saving.

Filter context preserved: When you navigate from the list to the edit page and back, your active filters (search, namespace, status, etc.) are preserved.

Disabling Endpoints

Disabling an endpoint completely blocks all HTTP requests to that route. Any request will receive:

{
    "code": "rest_endpoint_disabled",
    "message": "This REST API endpoint has been disabled.",
    "data": {
        "status": 403
    }
}

How to Disable an Endpoint

Option A — Quick toggle from the list:

Go to Error Logs → REST API.
Hover over the endpoint row and click Disable.
The endpoint status changes to Disabled immediately.

Option B — From the edit page:

Go to Error Logs → REST API.
Click Edit on the endpoint row.
Check “Disable Endpoint Entirely”.
Click Save Changes.

Caution: Disabling core WordPress endpoints (e.g. /wp/v2/posts) may break functionality in the block editor, certain plugins, or external integrations that rely on the REST API. Test carefully after disabling any endpoint.

Disabling Specific Methods

Instead of disabling an entire endpoint, you can selectively block individual HTTP methods. This is useful when you want to allow reading data but prevent modifications.

Example: Allow GET but Block DELETE

Go to Error Logs → REST API and click Edit on the endpoint.
Under “Disable Specific Methods”, check the DELETE checkbox.
Leave GET unchecked so read access remains.
Click Save Changes.

The endpoint status in the list will show as Partial (orange) and the disabled method badge will appear with a strikethrough.

When a disabled method is used, the response will be:

{
    "code": "rest_method_disabled",
    "message": "The DELETE method has been disabled for this endpoint.",
    "data": {
        "status": 403
    }
}

Obfuscating Endpoints

Obfuscation hides an endpoint from REST API discovery responses without disabling it. The endpoint remains fully functional — it is simply removed from:

The main REST API index at /wp-json/
Namespace-specific index responses (e.g. /wp-json/wp/v2)

How to Obfuscate an Endpoint

Go to Error Logs → REST API and click Edit on the endpoint.
Check “Obfuscate Endpoint”.
Click Save Changes.

In the endpoint list, an obfuscated endpoint will show a hidden icon (eye with a line through it) next to the route.

Security through obscurity: Obfuscation is a supplementary security layer. It prevents automated scanners and bots from discovering endpoints through the REST API index, but anyone who knows the endpoint URL can still access it (unless it is also disabled). Use obfuscation alongside authentication controls for defense in depth.

Bulk Actions

You can enable or disable multiple endpoints at once using bulk actions.

On the endpoint list page, select the checkboxes next to the endpoints you want to change.
From the Bulk Actions dropdown, choose Disable or Enable.
Click Apply.

Action	Effect
Disable	Sets the “disabled” flag on each selected endpoint. All requests will return 403.
Enable	Removes the “disabled” flag from each selected endpoint. Endpoints become accessible again.

Note: Bulk actions only toggle the fully-disabled state. They do not affect per-method restrictions or obfuscation settings. Use the Edit page to manage those options individually.

CSV Export

You can export the endpoint list to a CSV file, including any currently applied filters.

Apply any desired filters (namespace, method, status, access) and/or a search query.
Click the CSV Export button above the table.
A progress bar appears while the export processes in batches.
Once complete, the CSV file downloads automatically.

CSV Columns

Column	Description
Route	The endpoint route path.
Methods	Comma-separated list of supported HTTP methods.
Namespace	The endpoint namespace.
In Index	“Yes” or “No” — whether it appears in the REST API index.
Access	“Public” or “Protected”.
Status	“Active”, “Disabled”, or “Partial”.

Tip: To cancel an export in progress, click the Cancel button that appears next to the progress bar.

Screen Options

Click the Screen Options tab at the top-right of the endpoint list page to configure:

Number of endpoints to show — Sets how many endpoints are displayed per page. Default: 50.

Troubleshooting

“No REST API endpoints found”

The endpoint list is empty. The REST API server needs to be initialized first. Visit /wp-json/ in your browser to trigger endpoint registration, then refresh the REST API admin page.

Block editor stopped working after disabling an endpoint

The WordPress block editor (Gutenberg) relies heavily on REST API endpoints in the wp/v2 namespace. If you disabled core endpoints like /wp/v2/posts, /wp/v2/blocks, or /wp/v2/block-types, the editor may fail to load or save content.

Fix: Navigate to the REST API list, locate the disabled endpoint, and click Enable to restore it.

A plugin stopped working after disabling endpoints

Many plugins register their own REST API namespaces (e.g. wc/v3 for WooCommerce, jetpack/v4 for Jetpack). If a plugin is malfunctioning:

Filter the list by the plugin’s namespace using the Namespace dropdown.
Check which endpoints are disabled.
Re-enable endpoints the plugin needs.

Obfuscated endpoint still accessible

This is expected. Obfuscation only removes the endpoint from discovery responses (the REST API index). The endpoint itself remains functional. If you want to block access entirely, use the Disable Endpoint Entirely option on the edit page.

Changes not taking effect

If your rule changes do not seem to apply:

Clear any server-side caching (object caching plugins, page caching, CDN).
Verify the module is enabled under Error Logs → Settings → REST API Options.
Check that you saved the changes on the edit page (look for the success notice).

Error Messages Reference

Message	Cause	Solution
“This REST API endpoint has been disabled.”	Endpoint is fully disabled	Enable the endpoint from the list or edit page
“The [METHOD] method has been disabled for this endpoint.”	A specific HTTP method is restricted	Edit the endpoint and uncheck the method under “Disable Specific Methods”
“Invalid route hash.”	The endpoint URL parameter is corrupted or missing	Return to the list and click Edit again
“Endpoint not found.”	The endpoint no longer exists (e.g. a deactivated plugin removed it)	Refresh the list; the endpoint may re-appear after the plugin is reactivated
“Security check failed.”	Nonce verification failed (session expired)	Refresh the page and try the action again
“You do not have permission to manage REST API endpoints.”	Non-administrator user	Log in as an administrator with `manage_options` capability

Need developer documentation?
See REST API developer documentation or architectural details, class references, hooks reference, data structures, and code examples for extending the REST API module programmatically.

REST API Module — User Guide