Restricting the REST API when the `site_url` is different from the `home_url`

Hello, I am encountering an issue with restricting the REST API when the site_url is different from the home_url.

My project has a specific structure (https://roots.io/bedrock/) where WordPress is located in /wp. During the verification of crb_get_rest_path() and CRB_Request::get_relative_path(), it fails to account for /wp being in a different location. As a result, the verification is incorrect, and the REST API remains accessible.

Can you help me ?

Best,

Hi! We’re happy to assist with this interesting issue. However, please note that it might take a bit of time to sort this out since it involves modifying the core of the plugin. If I understand correctly, the “WordPress Address (URL)” and “Site Address (URL)” settings contain different subfolders. Is that correct?

Hi nick,

WordPress Address (URL) is https://www.siteurl.fr and
Site Address (URL) is https://www.siteurl.fr/wp

Could you confirm that your WordPress files are located in the root folder of your website, but the website itself is accessible via https://www.siteurl.fr/wp? It’s important because such a configuration looks non-standard.