Enable Contact Form 7 to Work with Disable WP REST API

Updated March 21, 2025 • 4 comments

My free WordPress plugin, Disable WP REST API, disables the REST API for all users who are not logged in to WordPress. So if you’re using a plugin such as Contact Form 7 that requires the REST API, it’s not going to work if Disable WP REST API is active on site. But there is a way to make it work. This quick tutorial explains how to set it up in two steps.

Note: This “fix” technique no longer is required for Contact Form 7 (version 6 or better) and Disable REST API (any version). Check out the latest update on this post for details. The information contained below is for older versions and reference purposes only.

Note: This technique requires Disable WP REST API version 2.5 or better.

Step 1: Get the REST URIs

Open your browser’s console and visit your contact form 7. The goal here is to look at any 401 errors and get the associated URIs/paths. For example, using Firefox console while visiting and submitting the contact form shows several 401 (Unauthorized) URIs. Here is a screenshot to give you a better idea:

Examining Firefox console while fiddling with contact form 7

To illustrate with a concrete example, here are the related REST URIs (end points) that were getting denied due to the Disable WP REST API plugin.

/wp-json/contact-form-7/v1/contact-forms/1757/refill
/wp-json/contact-form-7/v1/contact-forms/1757/feedback
/wp-json/contact-form-7/v1/contact-forms/1757/feedback/schema

Important: Do not use the above REST URIs. They are just examples. Each contact form will use its own REST URIs. Use browser console to find them!

Step 2: Add REST URIs to custom code

Once you have all the REST URIs required by Contact Form 7, the next step is to add them to a whitelist, so they always will have access, even when the user is not logged in. So as it should be, any random visitor can use your contact form. To do it, add the following custom code via theme functions or simple plugin.

function disable_wp_rest_api_server_var_custom($var) { 
	
	return array(
		'/wp-json/contact-form-7/v1/contact-forms/1757/refill',
		'/wp-json/contact-form-7/v1/contact-forms/1757/refill/',
		'/wp-json/contact-form-7/v1/contact-forms/1757/feedback', 
		'/wp-json/contact-form-7/v1/contact-forms/1757/feedback/', 
		'/wp-json/contact-form-7/v1/contact-forms/1757/feedback/schema', 
		'/wp-json/contact-form-7/v1/contact-forms/1757/feedback/schema/'
	); 
	
}
add_filter('disable_wp_rest_api_server_var', 'disable_wp_rest_api_server_var_custom');

Notice that, in addition to the 3 REST URIs discovered in Step 1. We also add their “slashed” versions. So we have /.../schema and /.../schema/ (note the trailing slash). Covering both cases helps to ensure smooth operation and happy visitors :)

That’s all there is to it. Once the above code is added to your site, Contact Form 7 will work even when Disable WP REST API is active. It’s important to understand that this code will enable any/all visitors and bots to access the specified REST URIs (end points). Which is fine because they’re meant to be public in the first place.

About the Author

Jeff Starr = Creative thinker. Passionate about free and open Web.

4 responses to “Enable Contact Form 7 to Work with Disable WP REST API”

dimitri 2023/04/19 4:27 am

Hello,

i’v noticed that Contact Form 7 :

/wp-json/contact-form-7/v1/

etc

are in top requesting url on my cloudways server . So i’m wondering if i can disable theses urls, but maybe contact form will not working anymore. It’s something very strange, because a site with traffic make theses url are in the top requested url ? Do you have an advice about that issue ?
thanks

Jeff Starr 2023/04/20 9:46 pm • Post Author

Not sure, it’s not something I’ve heard of before. But if the requests are met with 404 or other error, you could block or redirect, assuming the resources aren’t needed and/or don’t exist, etc. Otherwise if the requests are for an existing, necessary resource, you would need to look at handling via other request attributes.

Ivan Petermann 2023/04/28 10:57 am

Hi everyone,

I’d like to share a solution I found to enable Contact Form 7 endpoints with the Disable WP REST API plugin. Simply add the code below to your theme’s functions.php file or a custom plugin. This code checks if both plugins are active and adds a filter that returns the routes of the Contact Form 7 endpoints for each form found. I hope this can help others who are experiencing issues with these two plugins. If you have any questions, feel free to ask in the comments. The code is as follows:

/**
 * Automatically Enable Contact Form 7 Endpoints with Disable WP REST API Plugin
 * Plugin URI: https://wordpress.org/plugins/disable-wp-rest-api/
 */
function disable_wp_rest_api_enable_contact_form7_endpoints() {
	$active_plugins = get_option('active_plugins');
	// Check if the "Disable WP REST API" plugin is active
	if (in_array('disable-wp-rest-api/disable-wp-rest-api.php', $active_plugins)
		// Check if the "Contact Form 7" plugin is active
		&& in_array('contact-form-7/wp-contact-form-7.php', $active_plugins)
		// Check if the "WPCF7_ContactForm" class exists
		&& class_exists('WPCF7_ContactForm')
	) {
		// If all conditions are met, add a filter to enable the Contact Form 7 endpoints
		add_filter('disable_wp_rest_api_server_var', function () {
			// Get all Contact Form 7 forms
			$forms = WPCF7_ContactForm::find();
			$form_itens = [];
			// Loop through all forms and add their endpoints to an array
			foreach ($forms as $form) {
				$form_id = $form->id();
				$form_itens[] = '/wp-json/contact-form-7/v1/contact-forms/' . $form_id . '/refill';
				$form_itens[] = '/wp-json/contact-form-7/v1/contact-forms/' . $form_id . '/feedback';
				$form_itens[] = '/wp-json/contact-form-7/v1/contact-forms/' . $form_id . '/feedback/schema';
			}
			// Return the array of endpoints
			return $form_itens;
		});
	}
}
add_action('after_setup_theme', 'disable_wp_rest_api_enable_contact_form7_endpoints');

Code link.

Jeff Starr 2023/04/28 11:27 am • Post Author

Nice, thanks for sharing Ivan.

Comments are closed for this post. Something to add? Let me know.