How to disable WordPress REST API



WordPress is one of the most popular content management systems which allows you to create websites, and it is one of the ways to create a website for free.

It is very easy to disable WordPress REST API.

What is WordPress REST API?

WordPress REST API is an application programming interface that is made for developers to make HTTP requests with WordPress.

A REST API allows two or more applications to talk with each other, share data back and forth.

WordPress REST API helps developers to create and manage plugins,, as well as creating single-page applications.

If you are a developer and interested in it, visit https://developer.wordpress.org/rest-api/

Why would you want to disable it?

You can easily access any WordPress website REST API by the link below,

http://yoursite.com/wp-json/wp/v2

It is advisable to disable WordPress REST API if you are not using it publicly, It exposes information about the users of your WordPress website such as usernames and all the public information about your WordPress website.

You can log in and change settings to display a different name in the API data but most people don’t do it nor has an idea that whatever chosen username can be viewed publicly.

Because of that, it can easily lead to a brute force attack on your website, a process to guess your password by trying to log in to the admin panel programmatically.

Here I have written two ways you could disable WordPress REST API public access.

1. With Plugin

I would recommend this way if you are using the theme which is made or managed by a third party.

It is very easy to do with a plugin, Login to your WordPress website admin panel, click on plugins and then click on the Add New button.

Search plugins with the term “disable rest api”, It will show you available plugins.

Here I’m using the first shown plugin by Dave McHale, Click on Install Now button and then activate it. This plugin disables the REST API as soon as you install and activate it.
Click on plugins, It should now list the “Disable REST API” plugin there, click on settings for the same.

It allows you to manage the REST API access as you want.

2. Without Plugin

You can use this option if you are the developer of your own theme or updating your theme programmatically without relying on someone else for the theme updates.

This is fairly easy to do,

open the wp-content/themes/whatever-theme-you-are-using folder and open the functions.php file in the text editor.

add_filter('rest_authentication_errors', function($result){
    if(!empty($result)){
        return $result;
    }
    if(!is_user_logged_in()){
        return new WP_Error('rest_unauthenticated', 'Unauthenticated.', array('status' => 401));
    }
    return $result;
});

Copy and paste the code in the functions.php file at the end of the file or the code which is already there.

And that is it!

Hope this article helped you and let us know in the comments if you think there is a better way to do the same.


About Parth

I'm the founder & CEO of DigitalSitara. A software development company with customers in mind. I have been developing all different kinds of software for the past 7 years. I love programming, music, and food.

Leave a Reply

Your email address will not be published.