Save 25% on Wizard’s SQL for WP w/ code: WIZARDSQL
Web Dev + WordPress + Security

Enable Contact Form 7 to Work with Disable WP REST API

My free WordPress plugin, Disable WP REST API, disables the REST API for all users who are not logged in to WordPress. So if you’re using a plugin such as Contact Form 7 that requires the REST API, it’s not going to work if Disable WP REST API is active on site. But there is a way to make it work. This quick tutorial explains how to set it up in two steps.

Note: This technique requires Disable WP REST API version 2.5 or better.

Step 1: Get the REST URIs

Open your browser’s console and visit your contact form 7. The goal here is to look at any 401 errors and get the associated URIs/paths. For example, using Firefox console while visiting and submitting the contact form shows several 401 (Unauthorized) URIs. Here is a screenshot to give you a better idea:

Screenshot of Firefox consoleExamining Firefox console while fiddling with contact form 7

To illustrate with a concrete example, here are the related REST URIs (end points) that were getting denied due to the Disable WP REST API plugin.

Important: Do not use the above REST URIs. They are just examples. Each contact form will use its own REST URIs. Use browser console to find them!

Step 2: Add REST URIs to custom code

Once you have all the REST URIs required by Contact Form 7, the next step is to add them to a whitelist, so they always will have access, even when the user is not logged in. So as it should be, any random visitor can use your contact form. To do it, add the following custom code via theme functions or simple plugin.

function disable_wp_rest_api_server_var_custom($var) { 
	return array(
add_filter('disable_wp_rest_api_server_var', 'disable_wp_rest_api_server_var_custom');

Notice that, in addition to the 3 REST URIs discovered in Step 1. We also add their “slashed” versions. So we have /.../schema and /.../schema/ (note the trailing slash). Covering both cases helps to ensure smooth operation and happy visitors :)

That’s all there is to it. Once the above code is added to your site, Contact Form 7 will work even when Disable WP REST API is active. It’s important to understand that this code will enable any/all visitors and bots to access the specified REST URIs (end points). Which is fine because they’re meant to be public in the first place.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
The Tao of WordPress: Master the art of WordPress.

Leave a reply

Name and email required. Email kept private. Basic markup allowed. Please wrap any small/single-line code snippets with <code> tags. Wrap any long/multi-line snippets with <pre><code> tags. For more info, check out the Comment Policy and Privacy Policy.

Subscribe to comments on this post

Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
.htaccess made easy: Improve site performance and security.
Daylight savings is a complete waste of time and needs to be eliminated.
Got a couple of snow days here in mid-March. Fortunately it's not sticking.
I handle all email in real time as it comes in, perpetually clear inbox for years now.
Added some nice features to Wutsearch search engine launchpad. Now 21 engines!
.wp TLD plz :)
Nice collection of free SEO APIs and user-agent lookups for Googlebot, Bingbot, Applebot, YandexBot, and more.
90% of online customer support is just explaining how to do basic troubleshooting.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.