Super Plugin Sale! Your Choice: BOGO or 30% Off »
Web Dev + WordPress + Security

Enable Contact Form 7 to Work with Disable WP REST API

My free WordPress plugin, Disable WP REST API, disables the REST API for all users who are not logged in to WordPress. So if you’re using a plugin such as Contact Form 7 that requires the REST API, it’s not going to work if Disable WP REST API is active on site. But there is a way to make it work. This quick tutorial explains how to set it up in two steps.

Note: This technique requires Disable WP REST API version 2.5 or better.

Step 1: Get the REST URIs

Open your browser’s console and visit your contact form 7. The goal here is to look at any 401 errors and get the associated URIs/paths. For example, using Firefox console while visiting and submitting the contact form shows several 401 (Unauthorized) URIs. Here is a screenshot to give you a better idea:

Screenshot of Firefox consoleExamining Firefox console while fiddling with contact form 7

To illustrate with a concrete example, here are the related REST URIs (end points) that were getting denied due to the Disable WP REST API plugin.

Important: Do not use the above REST URIs. They are just examples. Each contact form will use its own REST URIs. Use browser console to find them!

Step 2: Add REST URIs to custom code

Once you have all the REST URIs required by Contact Form 7, the next step is to add them to a whitelist, so they always will have access, even when the user is not logged in. So as it should be, any random visitor can use your contact form. To do it, add the following custom code via theme functions or simple plugin.

function disable_wp_rest_api_server_var_custom($var) { 
	return array(
add_filter('disable_wp_rest_api_server_var', 'disable_wp_rest_api_server_var_custom');

Notice that, in addition to the 3 REST URIs discovered in Step 1. We also add their “slashed” versions. So we have /.../schema and /.../schema/ (note the trailing slash). Covering both cases helps to ensure smooth operation and happy visitors :)

That’s all there is to it. Once the above code is added to your site, Contact Form 7 will work even when Disable WP REST API is active. It’s important to understand that this code will enable any/all visitors and bots to access the specified REST URIs (end points). Which is fine because they’re meant to be public in the first place.

About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
SAC Pro: Unlimited chats.

4 responses to “Enable Contact Form 7 to Work with Disable WP REST API”

  1. Hello,

    i’v noticed that Contact Form 7 :



    are in top requesting url on my cloudways server . So i’m wondering if i can disable theses urls, but maybe contact form will not working anymore. It’s something very strange, because a site with traffic make theses url are in the top requested url ? Do you have an advice about that issue ?

    • Jeff Starr 2023/04/20 9:46 pm

      Not sure, it’s not something I’ve heard of before. But if the requests are met with 404 or other error, you could block or redirect, assuming the resources aren’t needed and/or don’t exist, etc. Otherwise if the requests are for an existing, necessary resource, you would need to look at handling via other request attributes.

  2. Hi everyone,

    I’d like to share a solution I found to enable Contact Form 7 endpoints with the Disable WP REST API plugin. Simply add the code below to your theme’s functions.php file or a custom plugin. This code checks if both plugins are active and adds a filter that returns the routes of the Contact Form 7 endpoints for each form found. I hope this can help others who are experiencing issues with these two plugins. If you have any questions, feel free to ask in the comments. The code is as follows:

     * Automatically Enable Contact Form 7 Endpoints with Disable WP REST API Plugin
     * Plugin URI:
    function disable_wp_rest_api_enable_contact_form7_endpoints() {
    	$active_plugins = get_option('active_plugins');
    	// Check if the "Disable WP REST API" plugin is active
    	if (in_array('disable-wp-rest-api/disable-wp-rest-api.php', $active_plugins)
    		// Check if the "Contact Form 7" plugin is active
    		&& in_array('contact-form-7/wp-contact-form-7.php', $active_plugins)
    		// Check if the "WPCF7_ContactForm" class exists
    		&& class_exists('WPCF7_ContactForm')
    	) {
    		// If all conditions are met, add a filter to enable the Contact Form 7 endpoints
    		add_filter('disable_wp_rest_api_server_var', function () {
    			// Get all Contact Form 7 forms
    			$forms = WPCF7_ContactForm::find();
    			$form_itens = [];
    			// Loop through all forms and add their endpoints to an array
    			foreach ($forms as $form) {
    				$form_id = $form->id();
    				$form_itens[] = '/wp-json/contact-form-7/v1/contact-forms/' . $form_id . '/refill';
    				$form_itens[] = '/wp-json/contact-form-7/v1/contact-forms/' . $form_id . '/feedback';
    				$form_itens[] = '/wp-json/contact-form-7/v1/contact-forms/' . $form_id . '/feedback/schema';
    			// Return the array of endpoints
    			return $form_itens;
    add_action('after_setup_theme', 'disable_wp_rest_api_enable_contact_form7_endpoints');

    Code link.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
All free plugins updated and ready for WordPress 6.6 dropping next week. Pro plugin updates in the works :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.