More reliable will be allowing specific IP instead of domain using REMOTE_ADDR
header. You can use HTTP_REFERRER
header but it is not reliable.
You can do it via using rest_authentication_errors
filter.
add_filter( 'rest_authentication_errors', 'wpse150207_filter_incoming_connections' );
function wpse150207_filter_incoming_connections( $errors ){
$allowed_ips = array( '127.0.0.1' );
$request_server = $_SERVER['REMOTE_ADDR'];
if( ! in_array( $request_server, $allowed_ips ) )
return new WP_Error( 'forbidden_access', 'Access denied', array( 'status' => 403 ) );
return $errors;
}
The rest api will generate 403 error on ips other that given ip array.
Note: The solution works for WP v4.4.2
+ Rest API v2.0-beta12
.