Try the following mod_rewrite directives instead at the top of your root .htaccess
file (before the # BEGIN WordPress
section):
# Reject any user requests that are not prefixed "/wp-json"
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule !wp-json($|/) - [F]
Requested URLs that are not prefixed /wp-json
(or /wp-json/
) are rejected with a 403 Forbidden.
The RewriteCond
directive that checks against the REDIRECT_STATUS
environment variable is to ensure that only requests from the client are blocked and not internally rewritten requests to index.php
(the WordPress front-controller). REDIRECT_STATUS
is empty on the initial request and set to “200” (as in 200 OK status) after the first successful rewrite.
<Directory /> AllowOverride None </Directory> <Directory /wp-json*> AllowOverride All </Directory> <Directory /wp-json*/*> AllowOverride None </Directory>
<Directory>
and AllowOverride
are server-only directives and will trigger a 500 Internal Server Error if used in .htaccess
. However, AllowOverride
enables/disables .htaccess
overrides (it doesn’t block access) – which is not what you want to do here (.htaccess
overrides are probably already enabled). And /wp-json
is not a physical “directory” on the filesystem, so the <Directory>
directive does not apply here.
Order deny,allow Deny from all Allow from all
Having Deny from all
and Allow from all
in the same context doesn’t really make sense. (You would need to disable access for the root and enable access for the specific URL-path prefix.) However, Order
, Deny
and Allow
are Apache 2.2 directives and you are more likely to be on an Apache 2.4 server. These directives are now deprecated in favour of the Apache 2.4 Require
group of directives.