REST API calls that should be blocked are allowed

Hi mrboats
I have had the same problem for a long time on all my sites where WordPress is installed in a sub folder and the WordPress Address (URL) is not the same as the Site Address (URL). Looking at your screenshot I am guessing you have the same configuration. I ended up using another method to block the REST API on those sites. The calls appear to be correctly blocked on the one site I have where WordPress is installed in the root.

In my case, WordPress is in the root.

Please confirm that you can reproduce the issue by manually sending a request from your browser with the same not blocked REST API URL.

That is the challenge here that these seems spurious and I cannot see any pattern. As I said, mostly the REST calls get blocked as should but then there are these random occurrences that get passed through incorrectly.

In the case where WordPress is installed in a sub folder and the WordPress Address (URL) is not the same as the Site Address (URL) the following are not blocked at all, and show all information, from a not logged in browser on a not white listed IP:
https://example.com/wp-json/wp/v2/
https://example.com/wp-json/wp/v2/users
In fact I think all REST API requests starting with wp-json are not blocked.
I have the following REST API settings on Cerber 8.9.5:
“Stop user enumeration”, “Disable REST API” and “Logged-in users” all turned on.
“Allow REST API for these roles” and “Allow these namespaces” are both empty.

I am wondering if mrboats problem URLs start with http: as shown in his screenshot rather than the normal https:

@dabrolga, true that, hadn’t paid attention so that detail. So seems that http: might be the culprit here. @gioni, shouldn’t http requests be blocked as well?