WordPress JSON API restrict to specific domain
More reliable will be allowing specific IP instead of domain using REMOTE_ADDR header. You can use HTTP_REFERRER header but it is not reliable. You can do it via using rest_authentication_errors filter. add_filter( ‘rest_authentication_errors’, ‘wpse150207_filter_incoming_connections’ ); function wpse150207_filter_incoming_connections( $errors ){ $allowed_ips = array( ‘127.0.0.1’ ); $request_server = $_SERVER[‘REMOTE_ADDR’]; if( ! in_array( $request_server, $allowed_ips ) ) return … Read more