Disabling the WordPress JSON REST API can be achieved through a few different methods, depending on your specific needs and WordPress setup. Here are some common approaches:
Disable REST API by using a plugin
The simplest way to disable the REST API is by using a WordPress plugin designed for this purpose. Plugins like “Disable REST API” can be installed directly from the WordPress plugin repository and provide an easy-to-use interface for managing REST API access. This is one of the plugins that I use on many sites where I can’t or don’t want to edit the code.
Disable REST API without using a plugin
Add the following code to the functions.php
file in your theme or in the base file of a custom plugin.
/**
* Disable REST API for non-logged users.
*
* @param $access
*
* @return mixed|WP_Error
*/
function zerowp_disable_rest_api($access)
{
if (is_user_logged_in()) {
return $access;
}
$errorMessage = 'REST API is disabled!';
if (!is_wp_error($access)) {
return new WP_Error(
'rest_api_disabled',
$errorMessage, [
'status' => rest_authorization_required_code(),
]);
}
$access->add(
'rest_api_disabled',
$errorMessage, [
'status' => rest_authorization_required_code(),
]);
return $access;
}
add_filter('rest_authentication_errors', 'zerowp_disable_rest_api', 99);
This code snippet will restrict REST API access to authenticated users only. You can modify it to completely disable the REST API if needed.
Disable REST API using the .htaccess rules
If you have access to your server’s .htaccess
file, you can add rules to it to disable the REST API. This method is more technical and is recommended for advanced users. Here’s an example of what you might add to your .htaccess
file:
# Disable WordPress JSON API
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-json/.*$ - [R=403,L]
</IfModule>
This rule will block external access to the wp-json endpoint, effectively disabling the REST API for non-authenticated users.
Disable REST API by editing the NGINX config file
To disable the WordPress JSON REST API in an environment using Nginx, you will need to modify your Nginx configuration file. This approach is more technical and is recommended for those who have administrative access and are familiar with server configuration.
First, locate the Nginx configuration file. It is usually named nginx.conf
or it could be a site-specific file in the /etc/nginx/sites-available/
directory. The exact location might vary depending on your server setup. Once you located it, edit by adding the following:
server {
# ... other configuration ...
location ~ ^/wp-json/ {
deny all;
return 403;
}
# ... other configuration ...
}
This configuration will block access to any URL that starts with /wp-json/
, which is the endpoint for the WordPress REST API. The deny all
directive blocks all access, and return 403 ensures that a 403 Forbidden error is returned.
After editing the configuration file, it’s good practice to test the configuration for any syntax errors. You can do this by running:
nginx -t
This command will let you know if there are any syntax errors in your configuration files.
If the configuration test is successful, you need to reload Nginx to apply the changes. This can typically be done with the following command:
systemctl reload nginx # or...
service nginx reload # or something else. It depends how your server is configured...
After reloading Nginx, it’s a good idea to verify that the REST API is indeed disabled. Try accessing http://siteurl.com/wp-json/
from a browser or using a tool like curl
. You should receive a 403 Forbidden response.
This is a more complicated step and I recommend leaving it to a specialist who is familiar with Nginx configuration.
Disable REST API by using a security plugin
Many WordPress security plugins have features to disable or restrict access to the WordPress REST API. If you are already using a security plugin, check its settings to see if this feature is available.
I’m not going to recommend any plugins here, because I don’t know which one is good for this task.
Hopefully, you found something that fits your needs.
FAQ: Disabling the WordPress REST API
What is the WordPress REST API?
The REST API, included in WordPress since version 4.4, is a system that allows developers to interact with WordPress sites in new ways. It provides a standardized way for external applications to read and manage WordPress data.
Why would I want to disable the REST API?
Here’s why you might consider disabling it:
Performance: If you aren’t using plugins or features that rely on the REST API, it can add unnecessary overhead and slightly impact performance.
Security: In rare cases, the REST API can be a potential avenue for vulnerabilities, though it’s generally secure. Disabling it for non-logged-in users adds another layer of security.
How can I disable the WordPress REST API?
There are two main methods:
Using a plugin: Plugins like “Disable REST API” offer a simple interface to disable the API with a few clicks, ideal for less technically inclined users.
Adding code: The blog post provides a code snippet to add to your theme’s functions.php file or a custom plugin for those comfortable editing code.
Will disabling the REST API break anything on my site?
It’s crucial to test thoroughly after disabling the rest API. Some plugins might rely on it. Popular ones that could be affected include:
- WordPress Popular Posts (for view count functionality)
- Disqus Comment Sync
Should I disable the REST API for logged-in users?
Generally, it’s not recommended. The REST API is essential for the functionality of the block editor (Gutenberg) and many administrative features in the WordPress dashboard.