When someone visits a page on your site, Independent Analytics makes a single REST-API request that records the visit. Without the ability to use the REST-API, it cannot record any data.
At the same time, you may be aware of the security concerns raised by the REST API. While it doesn’t directly create vulnerabilities, it does expose information that could be used in conjunction with another attack.
The good news is that you can selectively disable REST API routes without deactivating the API entirely. This is made possible via the excellent Disable REST API plugin.
Once you activate the Disable REST API plugin, you’ll find a new menu at Settings > Disable REST API. In this menu, you can click on the /iawp route to enable it, and then save your changes.
This will ensure that the /iawp route can be triggered by your visitors while locking down all other routes.
If any of your other plugins depend on the REST API, make sure to enable their routes too.
Disabling the REST API without a plugin
If you’d prefer to add a code snippet to your site instead of installing a new plugin, you can use the following function:
function block_rest_api_except_ia( $access ) { if (!is_user_logged_in() && $_SERVER['REQUEST_URI'] != '/wp-json/iawp/search') { return new WP_Error( 'rest_disabled', __('The WordPress REST API has been disabled.'), array( 'status' => rest_authorization_required_code())); } return $access; } add_filter( 'rest_authentication_errors', 'block_rest_api_except_ia' );
This code will disable the REST API for anyone who isn’t logged-in unless the request is for the Independent Analytics end point. This allows your analytics to be recorded without exposing any other endpoints.