Disable API protection

Hi @kristtranslate ,

Thank you for your feedback.

We have taken note of it and will address the issue in the next release, scheduled for 1-2 weeks from now.

In the meantime, could you please revert to the PPWP Lite 1.8.8 version to temporarily resolve the issue? Alternatively, you can contact us via the contact form on our website to obtain an older version of PPWP Lite.

Awaiting your reply.

OK, thank you so much for taking this problem into account – we’ll stick to version 1.8.8 for the time being and wait for the next plugin release. Looking forward to this !

Have a great day

Regards

Hello,

we can see that v1.9.1.1 was released. Is it supposed to fix our issue, i.e is there now a setting to turn API protection OFF , or should we wait a little longer ?… the changelog does not help.

Thanks

Hi @kristtranslate ,

Yes, our dev team has updated some code to fix the API protection in the PPWP 1.9.1.1 version.

Could you please update and check if it works?

Please remember to keep the 1.8.8 version as backup in case it doesn’t resolve the issue.

Awaiting your reply.

We’ve tested 1.9.1.1 but the API protection is still ON and we don’t find where to turn it off…

Hi @kristtranslate ,

Our dev team didn’t provide the option to turn the API protection on or off.

They have adjusted some code so that if your site uses the Sitewide Protection and API, it won’t break your site.

Is your site still experiencing issues when using our PPWP 1.9.1.1 version? If so, could you please provide us with the debug.log file so our dev team can investigate?

Just to confirm, are you using the PPWP Sitewide Protection feature?

Awaiting your reply.

We indeed use the PPWP Sitewide Protection Feature. The trouble is, that until 1.9.1 we could still access our WP site’s APIs (wp-json/wp/v2/ route) in spite of us using PPWP Sitewide Protection Feature: though access to web pages would be password-protected, API access would remain unprotected.

Now with PPWP 1.9.1+ we don’t know how to turn API protection off whilst keeping wep pages protection on.

Let me know if this clarifies our problem & need

Thanks !

Hi @kristtranslate ,

Thank you for the information. There was a misunderstanding, but we understand your point now.

Using APIs (specifically wp-json/wp/v2/ route) to bypass Sitewide Protection has been identified as a bug reported by WordFence, rather than a feature.

Therefore, we have addressed this issue in version 1.9.1+. The WordPress site’s APIs must remain protected until you use the password to unlock Sitewide Protection. If they aren’t protected, unauthorized users could potentially access your site.

If you need to bypass Sitewide Protection, we recommend using our quick access link (QALs), Whitelist specific user roles, or Whitelist specific IP addresses provided via the PPWP Pro plugin.

References: https://passwordprotectwp.com/docs/bypass-wordpress-sitewide-password-protection/

Thank you for your understanding.