I love tinkering with mobile apps and WordPress. So when I built a simple mobile app to talk to my WordPress site, I expected smooth sailing. Instead, I hit a wall—my app stopped syncing right after I installed WP Cerber for added website security.
TLDR: My mobile app couldn’t sync with my WordPress site because WP Cerber was blocking all REST API calls. It thought the app was suspicious. The solution? Create whitelist rules to allow specific API routes and IP addresses. Quick fix, huge relief!
What the Heck Is the REST API?
The WordPress REST API is like a waiter for your site. When apps or programs make requests—like “give me all posts” or “submit this comment”—the REST API delivers. It connects your app to your website’s database and lets them talk safely.
My mobile app used the REST API to get blog posts and post user data—totally normal stuff. But WP Cerber thought something fishy was going on.
Enter WP Cerber, the Bodyguard
I installed WP Cerber to make my site safer. It blocks bots, hacks, spam, and all sorts of nasties. One of its powerful features is REST API protection. It blocks any REST API traffic that doesn’t follow its rules.
That’s great for security. But in my case, it locked the door on my app without telling it why.
The result? The app couldn’t fetch any posts. Sync failed. Nothing worked.
Detective Mode: Finding the Culprit
I checked my app. No error messages there, just broken functions. Then I logged into WordPress and opened WP Cerber’s activity log. Boom. Lots of REST API requests marked “Denied – REST API disabled.”
Busted! WP Cerber was rejecting my app’s every move.
Why Was It Blocked?
- WP Cerber disables REST API access by default for non-logged-in users.
- My app was sending requests anonymously—it wasn’t logged in.
- Requests were flagged as “unauthorized.”
Now I knew what was wrong. The question was: how do I fix it without turning off WP Cerber entirely?
Whitelisting to the Rescue
This is where WP Cerber’s whitelist rules come into play. They act like VIP passes. You tell WP Cerber: “Hey, this route or this IP is cool, don’t block it.”
And that’s what I did. I added two types of whitelist entries:
1. Whitelist the IP Address
First, I found the IP address my app was using to call the API.
- I checked the server logs and found the repeating IP.
- I went to WP Cerber > Access Lists.
- In the Whitelist section, I entered the IP and a note like “Mobile App.”
Done! All traffic from that IP would now get a green light.
2. Whitelist Specific API Routes
Some versions of WP Cerber let you whitelist REST API paths. Here’s how I did it:
- Go to WP Cerber > Security Rules.
- Find the section called REST API.
- Look for Allow REST API requests to these namespaces.
- Add paths like
myapp/v1, which is the namespace my app used.
That told WP Cerber my app’s requests were valid and should not be blocked.
Note: If you’re not sure what namespace your app uses, look at the URL it calls. It’ll be something like:
https://yoursite.com/wp-json/myapp/v1/posts
In this case, “myapp/v1” is the namespace.
Testing, Testing
After making these whitelist entries, I crossed my fingers and re-opened the app.
It worked! Posts loaded. Data synced. No more blocks.
WP Cerber stopped fighting my app and started playing nice. Security was still up, but with a smart exception for my app.
Pro Tips I Learned Along the Way
- Don’t panic if something breaks. WP Cerber logs everything—use them!
- Name your whitelist entries clearly like “App REST IP” so you remember why they’re there later.
- Avoid 0.0.0.0 entries—be specific. Only whitelist trusted IPs or narrow API namespaces.
- Use tokens or app-level login if possible. That way, your app behaves more like a trusted user.
Bonus Fix: Enable REST API for Logged-Out Users
If you’re okay relaxing some rules, you can do one more thing:
- Go to WP Cerber > Hardening.
- Look for: Disable REST API.
- Set it to “Only for logged-in users”.
This’ll let REST API traffic through without needing to log in—helpful for public apps.
But be warned: It may expose more of your site than you intend. Balance it with care.
Would I Still Use WP Cerber?
Absolutely! It’s packed with strong security features. Just be ready to tinker when something doesn’t work right away.
Think of WP Cerber like a highly trained guard dog—it just needs to learn who your friends are!
The Final Word
Building your own apps and connecting them to WordPress is super fun. But security tools like WP Cerber can throw unexpected hiccups your way.
If your mobile app stops syncing, don’t assume it’s broken. Check if something is blocking it—like REST API restrictions.
And now that you know how to whitelist safely, you can have both security and functionality.
Go build cool stuff, and don’t forget to pet the guard dog.