Hi,
I am encountering an issue with WP Cerber where it appears to block REST API requests prematurely under certain conditions. Specifically, it blocks legitimate API requests that are authenticated and using allowed HTTP methods such as GET, POST, PUT, DELETE, and PATCH. Especially when we try to use WP’s password application.
add_filter( 'application_password_is_api_request', __NAMESPACE__ . '\\application_password_is_api_request' );
function application_password_is_api_request( $is_api_request ) {
$request_uri = $_SERVER['REQUEST_URI'] ?? '';
if ( empty( $request_uri ) ) {
return $is_api_request;
}
// Check if it's an API route
if ( ! str_contains( $request_uri, '/wp-json/' ) ) {
return $is_api_request;
}
$request_method = $_SERVER['REQUEST_METHOD'] ?? '';
$request_method_allowed = [ 'GET', 'POST', 'PUT', 'DELETE', 'PATCH' ];
// Check if the request method is allowed
if ( ! in_array( $request_method, $request_method_allowed, true ) ) {
return $is_api_request;
}
// Check if authentication credentials are provided
if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
return $is_api_request;
}
return true;
}
This function helps ensure that REST API requests are handled appropriately by checking:
- The presence of
/wp-json/in the request URI. - That the HTTP method used is in the list of allowed methods.
- That valid authentication credentials are provided.
Could you please confirm if this behavior is known or expected? If not, is there an official fix or an update planned to address this issue in WP Cerber?
Thank you for your assistance.
Best,