Skip to main content
Admin URL protection is available since v1.3.0. All other security features are available since v2.0.0.

GET /security

Returns the current admin URL protection status. 
curl -X GET https://example.com/wp-json/wp-manager-pro/v1/security \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

enabled
boolean
Whether custom admin URL protection is active.
slug
string
The configured custom login slug. Empty string if not set.
custom_url
string
The full custom login URL. Empty string if protection is disabled.
login_url
string
The standard WordPress login URL.

GET /security/overview

Returns all security feature states in a single call. 
curl -X GET https://example.com/wp-json/wp-manager-pro/v1/security/overview \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

admin_url_enabled
boolean
Whether custom admin URL protection is active.
admin_url_slug
string
The configured custom login slug.
custom_url
string
The full custom login URL.
login_url
string
The standard WordPress login URL.
limiter_enabled
boolean
Whether login attempt limiting is active.
limiter_threshold
integer
Number of failed attempts before a lockout is triggered.
limiter_window
integer
Time window in seconds in which failed attempts are counted.
limiter_duration
integer
Lockout duration in seconds.
lockout_count
integer
Number of currently recorded lockout log entries.
ip_blocklist_count
integer
Number of IPs in the blocklist.
xmlrpc_disabled
boolean
Whether XML-RPC is disabled.
hide_wp_version
boolean
Whether the WordPress version is hidden from public output.
tfa_enabled
boolean
Whether 2FA is active for the currently authenticated user.
wp_version
string
Current WordPress version.
wp_locale
string
Current WordPress locale.

POST /security/admin-url

Enables or updates the custom login slug. Direct access to wp-login.php is blocked once a slug is configured. 
curl -X POST https://example.com/wp-json/wp-manager-pro/v1/security/admin-url \
  -H "X-WP-Nonce: YOUR_NONCE" \
  -H "Content-Type: application/json" \
  -d '{"slug": "my-secret-login"}'

Parameters

slug
string
required
The custom login URL slug. Must be at least 4 characters and must not be a reserved slug such as wp-admin, wp-login, admin, or login.

Response

success
boolean
Always true on success.
slug
string
The saved slug.
custom_url
string
The resulting full custom login URL.

DELETE /security/admin-url

Disables custom admin URL protection and restores access to the default wp-login.php. 
curl -X DELETE https://example.com/wp-json/wp-manager-pro/v1/security/admin-url \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

success
boolean
Always true on success.

POST /security/limiter

Saves login attempt limiter settings. 
curl -X POST https://example.com/wp-json/wp-manager-pro/v1/security/limiter \
  -H "X-WP-Nonce: YOUR_NONCE" \
  -H "Content-Type: application/json" \
  -d '{"enabled": true, "threshold": 5, "window": 300, "duration": 900}'

Parameters

enabled
boolean
required
Enable or disable the login attempt limiter.
threshold
integer
Number of failed attempts before an IP is locked out. Defaults to 5.
window
integer
Time window in seconds during which failed attempts are counted. Defaults to 300.
duration
integer
Lockout duration in seconds. Defaults to 900 (15 minutes).

Response

success
boolean
Always true on success.

GET /security/lockouts

Returns the lockout log, sorted newest first. 
curl -X GET https://example.com/wp-json/wp-manager-pro/v1/security/lockouts \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

items
array

DELETE /security/lockouts

Clears all lockout log entries.
This clears the entire lockout log. Previously locked-out IPs will be able to attempt logins again immediately.
curl -X DELETE https://example.com/wp-json/wp-manager-pro/v1/security/lockouts \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

success
boolean
Always true on success.

POST /security/lockouts/unlock

Unlocks a specific IP address, clearing its lockout transient and removing it from the lockout log. 
curl -X POST https://example.com/wp-json/wp-manager-pro/v1/security/lockouts/unlock \
  -H "X-WP-Nonce: YOUR_NONCE" \
  -H "Content-Type: application/json" \
  -d '{"ip": "203.0.113.45"}'

Parameters

ip
string
required
The IP address to unlock.

Response

success
boolean
Always true on success.

GET /security/ip-blocklist

Returns all IPs and CIDR ranges currently in the blocklist. 
curl -X GET https://example.com/wp-json/wp-manager-pro/v1/security/ip-blocklist \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

items
array

POST /security/ip-blocklist

Adds an IP address or CIDR range to the blocklist. Blocked IPs receive a 403 response on all requests. 
curl -X POST https://example.com/wp-json/wp-manager-pro/v1/security/ip-blocklist \
  -H "X-WP-Nonce: YOUR_NONCE" \
  -H "Content-Type: application/json" \
  -d '{"ip": "203.0.113.0/24", "note": "spam source"}'

Parameters

ip
string
required
A valid IPv4 or IPv6 address, or a CIDR range (e.g. 203.0.113.0/24).
note
string
Optional description for why this IP is blocked.

Response

success
boolean
Always true on success.

DELETE /security/ip-blocklist

Removes an IP address or CIDR range from the blocklist. 
curl -X DELETE https://example.com/wp-json/wp-manager-pro/v1/security/ip-blocklist \
  -H "X-WP-Nonce: YOUR_NONCE" \
  -H "Content-Type: application/json" \
  -d '{"ip": "203.0.113.0/24"}'

Parameters

ip
string
required
The IP address or CIDR range to remove.

Response

success
boolean
Always true on success.

POST /security/hardening

Saves XML-RPC and WordPress version visibility settings. 
curl -X POST https://example.com/wp-json/wp-manager-pro/v1/security/hardening \
  -H "X-WP-Nonce: YOUR_NONCE" \
  -H "Content-Type: application/json" \
  -d '{"disable_xmlrpc": true, "hide_wp_version": true}'

Parameters

disable_xmlrpc
boolean
Disable XML-RPC entirely by returning a 403 response to all XML-RPC requests.
hide_wp_version
boolean
Remove the WordPress version from the generator meta tag and RSS feed.

Response

success
boolean
Always true on success.

POST /security/integrity

Runs a WordPress core file integrity check by comparing MD5 hashes against the official checksums from api.wordpress.org. Only wp-admin and wp-includes are scanned — wp-content is excluded. 
curl -X POST https://example.com/wp-json/wp-manager-pro/v1/security/integrity \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

version
string
The WordPress version used for the checksum lookup.
locale
string
The WordPress locale used for the checksum lookup.
checked
integer
Total number of files checked.
ok
integer
Number of files that passed the check.
clean
boolean
true if no modified or missing files were found.
modified
array
missing
array
Relative paths of core files that are absent from disk.

GET /security/2fa

Returns the two-factor authentication (TOTP) status for the currently authenticated user. 
curl -X GET https://example.com/wp-json/wp-manager-pro/v1/security/2fa \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

enabled
boolean
Whether 2FA is active for this user.
has_secret
boolean
Whether a TOTP secret is stored for this user.
backup_count
integer
Number of remaining backup codes.

POST /security/2fa/setup

Generates a new TOTP secret and returns the otpauth:// URI and a QR code URL. The secret is saved as pending until verified via POST /security/2fa/verify. 
curl -X POST https://example.com/wp-json/wp-manager-pro/v1/security/2fa/setup \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

secret
string
The Base32-encoded TOTP secret. Display this to the user for manual entry into an authenticator app.
otp_url
string
The otpauth://totp/... URI that encodes the secret, issuer, and account.
qr_url
string
URL of a QR code image encoding the otp_url. Scan with an authenticator app.

POST /security/2fa/verify

Verifies a TOTP code from the authenticator app. On success, the pending secret is activated and a set of one-time backup codes is returned.
Backup codes are shown only once. Store them securely — they cannot be retrieved later.
curl -X POST https://example.com/wp-json/wp-manager-pro/v1/security/2fa/verify \
  -H "X-WP-Nonce: YOUR_NONCE" \
  -H "Content-Type: application/json" \
  -d '{"code": "123456"}'

Parameters

code
string
required
The 6-digit TOTP code from the authenticator app.

Response

success
boolean
Always true on success.
backup_codes
array
Array of 8 one-time backup codes shown only on this response.

DELETE /security/2fa

Disables two-factor authentication for the currently authenticated user and removes all stored secrets and backup codes.
This immediately disables 2FA. The user will no longer be prompted for a code on login.
curl -X DELETE https://example.com/wp-json/wp-manager-pro/v1/security/2fa \
  -H "X-WP-Nonce: YOUR_NONCE"

Response

success
boolean
Always true on success.

Build docs developers (and LLMs) love

Get started for freeTalk to us