Secure your applications running on WordPress
We secure the WordPress® REST API instantly with enhanced security, block unknown outsiders, rate limit requests and protect data exposure – no config required.
We’ve just launched our product – Limited lifetime offer ends 30th September
See The Problem For Yourself
Try this on any WordPress site: add /wp-json/ to the end of the domain.
Hackers love unsecured APIs—they can scrape data, spam requests, and poke for vulnerabilities, or even manipulate content. The WordPress® REST API is powerful—but it’s also a wide-open doorway into your site if left unsecured.
Here’s just what your REST API Index is sharing…
🔓 BEFORE: What Hackers See (Your Site Right Now)
{
"name": "WP-JSON",
"description": "This is what a default WP-JSON index looks like.",
"url": "http://unsecure.api",
"home": "https://unsecure.api",
"gmt_offset": "0",
"timezone_string": "",
"page_for_posts": 93,
"page_on_front": 112,
"show_on_front": "page",
"routes": {
"/wp/v2/users": ["GET", "POST"],
"/wp/v2/posts": ["GET", "POST", "PUT", "DELETE"],
"/wp/v2/pages": ["GET", "POST", "PUT", "DELETE"],
... 47+ more endpoints exposed
},
"authentication": {
"application-passwords": {
"endpoints": {
"authorization": "https://unsecure.api/wp-admin/authorize-application.php"
}
}
},
"namespaces": ["wp/v2", "wp/v3", "plugins/..."],
"site_logo": 526,
"site_icon": 525,
"site_icon_url": "https://unsecure.api/content/media/2025/08/api-security-icon.png",
"_links": {
"help": [
{
"href": "https://developer.wordpress.org/rest-api/"
}
],
"wp:featuredmedia": [
{
"embeddable": true,
"type": "site_logo",
"href": "https://unsecure.api/wp-json/wp/v2/media/526"
},
{
"embeddable": true,
"type": "site_icon",
"href": "https://unsecure.api/wp-json/wp/v2/media/525"
}
],
"curies": [
{
"name": "wp",
"href": "https://api.w.org/{rel}",
"templated": true
}
]
}
}👆 This gives hackers a complete roadmap of your site.
🔓 AFTER: What Hackers See (With API Security)
{
"name": "API Security",
"description": "Safe guard the REST API instantly with enhanced security, block unknown outsiders, rate limit requests and protect data exposure – simple, secure, and hassle-free.",
"gmt_offset": "0",
"timezone_string": "",
"site_icon_url": "https://apisecurity.pro/content/media/2025/01/api-security-icon.svg"
}👆 Clean, simple, secure. No roadmap for attackers.
But that’s just the start of it.
Most WordPress® security plugins ignore the REST API because it’s deeply tied to the core of WordPress® with features like the block editor, Jetpack, and other plugins that rely on it. That means the door stays open by default—just with the hope that no one malicious walks through it.
API Security protects those doors automatically, silently, while improving traffic control from outsiders and allowing the core of WordPress®, your applications and your trusted tools to use it normally.
Giving you peace of mind—without slowing your site down.
Features
Everything you need for
professional-grade WordPress® API security
Just a few clicks away to put your mind at ease.
Removed Directory
Hide all sensitive details from the API index of your WordPress® site. Make it harder for hackers to know what you have enabled and can use.
Block Unknown Agents
Deny access to any route from unknown agents including bots. Pre-vetted agents are only allowed.
Shields Up
All best security practices are automatically in place. Blocking bad sites from causing your site from harm, no-referrer or sniffing.
Protect User Data
Anonymous user data. Prevent hackers getting a head start with listed usernames, ID’s exposed and more.
Rate Limiting
Control and prevent abuse from excessive calls and performance degradation on the host running your site.
Firewall
Getting attacked is not fun. We automatically lockdown access to the API if we detect it’s being violated before it gets too bad.
CORS Support
Unblock browser restrictions, config which origins, methods and ports are allowed access to your API.
No phone home
WordPress® KYC is always passed along. Prevent your site information from being shared for extra security.
Always Secure
Accept requests only on a secure connection. Redirects all none-secure requests to use a secure request instead−always.
CoCart Supported
100% ready for your headless store.
Plugin Compatible
Works with other WordPress security plugins.
I’m super impressed with how powerful and simple the security it provides for the REST API. I didn’t have to do anything but install!
Maryann Alpine
Site Analytics
1
Super Simple Setup
Less than a minute to setup. Just install and activate. That’s it!
2
Easy to Fine-Tune
Filters, hooks and more are available to make adjustments to your needs. See documentation.
3
Peace of Mind
Feel at ease knowing your API is secure 100%.
Pricing
Simple, Site-Based Pricing
All plans include the exact same powerful features. Just pick how many sites you need to secure: site owner (1 site), small team (5 sites), or agency (25 sites).
I feel more secure knowing my WordPress REST API is not exposed and blocks unknown agents.
Marion Alpine · SparkCode
I finally feel confident using the REST API. Now, I can build a headless site without worrying about the information left behind in the background.
Giannis Holiday · Creatif
$59
yearly subscription
Site Owner
Ideal for individual WordPress® site owner requiring robust, professional-grade API security.
Support and Licensing
✓
Basic support. Only covers fully completed bug reports. No third party conflict investigations.
✓
Use on 1 site + unlimited staging sites.
Most Popular
$99
yearly subscription
Small Team
Secure and manage multiple WordPress® sites with ease—perfect for growing teams and small businesses.
Support and Licensing
✓
Priority Support. Bug reports, third party conflicts, and more.
✓
Use on 5 sites + unlimited staging sites.
✓
Access to source code via GitHub.
$299
yearly subscription
Agency
Comprehensive API security tailored for agencies and developers managing multiple client sites.
Support and Licensing
✓
Priority Support. Bug reports, third party conflicts, and more.
✓
Use on 25 sites + unlimited staging sites.
✓
Access to source code via GitHub.
✓
White label it. Make your clients feel safer knowing your securing the API.
Secure Payments via 
Sale terms: Price options are shown in American ($) USD, covers plugin updates and support for the duration of your subscription. Local taxes may be applied. You may cancel your subscription at any time. If you keep your subscription active, the cost will never increase.
Alternatively, if you’re still undecided, you can try it out on a sandbox site
(powered by 
)
Frequently Asked Questions
Have a question?
Browse our FAQ’s below or contact us directly and we’ll happily sort you out.
What is included in Priority Support?
We provide email support. We guarantee a first response within 24 hours. 48 hours on weekends.
Does API Security work on self-hosted WordPress installs and WordPress.com?
Yes, API Security works on self-hosted WordPress installs and WordPress.com if you have a Business plan, which allows third-party plugins to be installed.
Will subscriptions renew at the sale price or full price?
Subscriptions will renew at the sale price. If you purchased a $99/year subscription today, your subscription will renew at $99/year unless you cancel.
Do you offer lifetime deals?
Yes. The lifetime deal will run until 30th September, 2025
Do you offer refunds?
Yes, we offer a 14 day compatibility guarantee. Refunds are provided only for unresolvable technical compatibility issues that our support team cannot solve. You must work with our support team first before requesting a refund. Payment processor fees (5%) are deducted from approved refunds.
Still have questions?
See more possible answers to your questions or let’s have a chat!
Latest and Greatest
Read our latest blog articles
Learn the latest and greatest in WordPress API Security on our blog.
-
·
Hello everyone!
Tired of leaving your WordPress REST API wide open? Hackers love unsecured APIs. They can scrape data, spam requests, and poke for vulnerabilities, or even manipulate content. We just launched API Security—a zero-config plugin that instantly locks down your REST API, blocks unknown outsiders, limits abusive requests, and protects your data. Built for site owners…