Tet banner

Custom Fields
Support General Rest API and Metabox fields show/hide

  • Creator
  • #30021
    Resolved Nicholas Cox


    I noticed that WordPress has alot of API endpoints and I came across the 'users' endpoint (wp-json/wp/v2/users) which exposes alot of sensitive data. I do understand that Metabox adds the fields to the API which is great, but I noticed that the default users data is exposed to visitors and hackers.

    What is the best approach to managing this? is it best to disable all endpoints not being used and create new endpoints to control the data for visitors only? I need to use the API for visitors so its not like I can use the 'nonce'.

    Or can I show/hide specific Metabox fields within the API?

    or shall I add in authentication to access the API, like a API key?

    Thanks, any help/advice would be great.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Author
  • #30041
    Long Nguyen


    It's not possible to show/hide specific Meta Box fields in the JSON data of REST API. I think you can restrict access to WP REST API within this code

    add_filter( 'rest_authentication_errors', function( $result ) {
        // If a previous authentication check was applied,
        // pass that result along without modification.
        if ( true === $result || is_wp_error( $result ) ) {
            return $result;
        // No authentication has been performed yet.
        // Return an error if user is not logged in.
        if ( ! is_user_logged_in() ) {
            return new WP_Error(
                __( 'You are not currently logged in.' ),
                array( 'status' => 401 )
        // Our custom authentication check should have no effect
        // on logged-in requests
        return $result;

    Refer to this topic https://stackoverflow.com/questions/32082922/restrict-access-to-wordpress-rest-api

    Nicholas Cox

    great thanks, I'll check out the link.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.