Securing your WordPress site is a top priority for most website owners. Plugins like WP Cerber make this task easier by offering strong protection against hacking, brute-force attacks, and other malicious behavior. However, while WP Cerber is excellent at tightening your site’s defenses, sometimes it can overreach — especially when it comes to the REST API. I learned this firsthand when WP Cerber's aggressive REST API blocking unexpectedly broke my mobile app. In this article, I’ll share the frustrating journey I went through trying to diagnose the issue and how I finally fixed it using whitelist rules within WP Cerber.
TL;DR
If you’re using WP Cerber and your WordPress mobile app or a custom integration suddenly stops working, WP Cerber's REST API blocking may be the culprit. The plugin’s security layers can interfere with authentication or data exchange via the REST API. By carefully identifying which endpoints your app uses and whitelisting those specific routes, you can prevent conflicts without compromising security. Read on to learn exactly how I diagnosed and resolved this issue.
When a Secure Plugin Turns into a Problem
Everything had been working flawlessly. Our team launched a sleek mobile app that used the WordPress REST API to display articles, allow users to comment, and even upload images. It interacted with the main WordPress site via standard API routes like /wp-json/wp/v2/posts and a few custom endpoints built via the register_rest_route() function. We were confident that with authentication tokens and nonce validation, everything was secure.
Then, one day, the app started breaking down—fast. Users were seeing blank screens, posts weren’t loading, and login attempts within the app failed. We assumed it was a server-side update or API change. However, after rolling back and scanning logs, our backend looked clean. The APIs still worked from the browser and Postman. That’s when we realized: the problem was specific to mobile clients.
The Clue is in the Console: WP Cerber’s REST API Shield
Upon deeper inspection of the WP Cerber logs, we found a number of entries like:
REST API request blocked. Request: /wp-json/custom/v1/data Reason: REST API disabled or IP not permitted
That lit the bulb. WP Cerber had quietly (and very effectively) been blocking API calls that didn’t meet its rules. One major setting labeled “Block access to the WordPress REST API unless the request comes from a white-listed source” was enabled. That meant our mobile app traffic was being seen as suspicious—despite being totally legitimate.
How Does WP Cerber’s REST API Blocking Work?
WP Cerber’s REST API controls allow you to:
- Disable the API entirely for anonymous users.
- Restrict access to specific roles or IPs.
- Log and block unexpected or malformed requests.
What’s tricky is that mobile app traffic often comes through IPs or payload structures that don’t look like browser-based traffic. If your app doesn’t explicitly authenticate using cookies or nonce tokens, Cerber flags it.
Taking the Wrong Path First (What Didn’t Work)
Initially, I tried re-enabling REST API access globally within WP Cerber. Under WP Cerber → Security Rules → REST API, I unchecked the box that says “Block access to the WordPress REST API.” This made everything work perfectly… but it was akin to ripping the lock off a secure door just because your key wasn’t working.
The app started working again, but so did any other REST API request from any anonymous or potentially malicious actor. That was unacceptable from a security standpoint.
The Fix: Whitelisting REST API Routes
I realized I needed a more nuanced solution. WP Cerber offers a feature under Access Lists and REST API Settings that allows you to whitelist specific routes or IP addresses — exactly what we needed.
Step-by-Step: How to Whitelist Properly
- Go to the WP Cerber dashboard in your WordPress admin panel.
- Navigate to Traffic Inspector → Live Traffic.
- Filter the list for REST API blocked requests (look for “Blocked REST API Request”).
- Identify which URIs are being used by your app – often they’ll be under
/wp-json/. - Take note of these endpoint URIs and double-check that they are all part of your app’s functionality.
- Now go to WP Cerber → Security Rules → REST API.
- Scroll to Access to REST API and look for the setting: Allow access to specific namespaces.
- Click “Enable” and carefully add the specific routes or namespaces (e.g.,
/wp/v2or your custom namespace like/custom/v1).
Once I added both the default WordPress and our custom routes into this list, the app began working again without having to deactivate any security features globally.
An Additional Layer: IP Whitelisting
As an extra precaution, especially if your mobile app uses predictable IP addresses (or a narrow IP range via a CDN or cloud provider), consider adding those IPs to the whitelist:
- Navigate to WP Cerber → Access List.
- Add IP addresses or CIDR ranges under White IP Access List.
This provides another layer of clearance for known, trusted traffic sources.
Lessons Learned
Managing WordPress security is always a balancing act between protection and usability. Plugins like WP Cerber offer fantastic control, but only if you understand how to configure them appropriately. For developers integrating mobile apps or third-party tools that use the REST API, here are some key takeaways:
- Always test app functionality with full security settings enabled — don’t rely solely on dev environments.
- Log and monitor all blocked REST API requests via WP Cerber to better understand how your site treats traffic.
- Use detailed whitelisting rather than disabling global protections — it's safer and more scalable in the long term.
- Update your documentation on integration points and how WP Cerber is configured, especially if multiple developers work on the project.
Conclusion: Taming the Cerberus
Despite its snarling gatekeeper personality, WP Cerber remains one of the most powerful security plugins for WordPress. The key is not to treat it as an obstacle but as a tool. By learning how to work with it — especially through precise REST API rules and Access Lists — you can enjoy top-tier protection without sacrificing functionality.
If you run a WordPress website with any sort of front-end app interaction, take the time to dive deep into your WP Cerber configuration. You’ll thank yourself — and so will your users.
