How to Disable WP REST API: A Beginner’s Guide
Table of Contents
WordPress is a powerful and versatile platform that allows you to create stunning websites and blogs. One of the features that makes WordPress so flexible is the WP REST API, which stands for WordPress Representational State Transfer Application Programming Interface.
The WP REST API is an interface that lets you access and manipulate WordPress data from outside the WordPress installation itself. For example, you can use the WP REST API to create a mobile app, a custom dashboard, or a headless CMS that uses WordPress as the backend.
However, not everyone needs or wants to use the WP REST API. In some cases, you might want to disable it for security, performance, or privacy reasons. For instance, you might want to prevent unauthorized access to your WordPress data, reduce server load, or comply with data protection regulations.
In this blog post, we will show you how to disable WP REST API completely or partially using different methods. We will also explain the pros and cons of each method and help you choose the best one for your situation.
How to Disable WP REST API?
Method 1: Using a Plugin
One of the easiest ways to disable WP REST API is to use a plugin. There are several plugins that can help you do this, such as:
- Disable REST API: This plugin disables the WP REST API for all users who are not logged in. It also removes the REST API link tag from the site header and the HTTP response headers.
- Disable WP REST API: This plugin does one thing: disables the WP REST API for visitors who are not logged into WordPress. No configuration required.
- WP Hardening: This plugin is a comprehensive security solution that includes disabling the WP REST API as one of its features. You can also use it to harden other aspects of your WordPress site, such as file permissions, database security, and login security.
To use any of these plugins, you need to install and activate them from your WordPress dashboard. Then, you need to configure them according to your preferences.
The main advantage of using a plugin is that it is very easy and convenient. You don't need to write any code or modify any files. You can also switch between different plugins if you want to try different features or settings.
The main disadvantage of using a plugin is that it might not be compatible with some themes or plugins that rely on the WP REST API. It might also introduce some bugs or conflicts with other plugins. Moreover, using a plugin adds some overhead to your site performance and maintenance.
Method 2: Using Code Snippets
Another way to disable WP REST API is to use code snippets in your functions.php
file or a custom plugin. This method requires some basic coding skills and access to your WordPress files via FTP or cPanel.
There are different code snippets that can disable WP REST API for all users, specific users, or specific endpoints. Here are some examples:
- To disable WP REST API for all users except administrators, you can use this code snippet:
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! current_user_can( 'manage_options' ) ) {
return new WP_Error( 'rest_forbidden', 'You are not allowed to access the WP REST API.', array( 'status' => rest_authorization_required_code() ) );
}
return $result;
});
- To disable WP REST API for specific endpoints, such as posts or comments, you can use this code snippet:
add_filter( 'rest_endpoints', function( $endpoints ){
if ( isset( $endpoints['/wp/v2/posts'] ) ) {
unset( $endpoints['/wp/v2/posts'] );
}
if ( isset( $endpoints['/wp/v2/comments'] ) ) {
unset( $endpoints['/wp/v2/comments'] );
}
return $endpoints;
});
- To disable WP REST API completely, you can use this code snippet:
add_filter( 'rest_enabled', '__return_false' );
add_filter( 'rest_jsonp_enabled', '__return_false' );
You can add these code snippets to your functions.php
file or a custom plugin. To create a custom plugin, you need to create a folder in your wp-content/plugins
directory and name it anything you want. Then, you need to create a PHP file with the same name as the folder and add the following header:
<?php
/*
Plugin Name: Disable WP REST API
Description: A custom plugin to disable WP REST API
Version: 1.0
Author: Your Name
*/
Then, you can add the code snippets below the header and save the file. Finally, you need to activate the plugin from your WordPress dashboard.
The main advantage of using code snippets is that it gives you more flexibility and control over the WP REST API settings. You can disable it completely or partially, depending on your needs. You can also customize the response code and message for unauthorized requests.
The main disadvantage of using code snippets is that it requires some coding skills and access to your WordPress files. You also need to be careful not to make any mistakes or errors that could break your site. Moreover, you need to update your code snippets whenever WordPress updates its WP REST API.
Method 3: Using .htaccess File
A third way to disable WP REST API is to use .htaccess
file in your WordPress root directory. This method requires access to your WordPress files via FTP or cPanel.
.htaccess
file is a configuration file that controls how your web server handles requests to your site. You can use it to block WP REST API requests from all sources or specific sources. Here are some examples:
- To block WP REST API requests from all sources, you can use this
.htaccess
rule:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/ [NC]
RewriteRule .* - [F,L]
</IfModule>
- To block WP REST API requests from specific sources, such as a domain or an IP address, you can use this
.htaccess
rule:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/ [NC]
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC,OR]
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0
RewriteRule .* - [F,L]
</IfModule>
You can add these .htaccess
rules to your existing .htaccess
file or create a new one if you don't have one. To create a new one, you need to create a blank text file and name it .htaccess
. Then, you need to upload it to your WordPress root directory via FTP or cPanel.
The main advantage of using .htaccess
file is that it is very simple and effective. You don't need to install any plugins or write any code. You can also block WP REST API requests at the server level, which improves your site security and performance.
The main disadvantage of using .htaccess
file is that it might not work on some web servers or hosting providers. It might also interfere with some themes or plugins that rely on the WP REST API. Moreover, you need to be careful not to make any mistakes or errors that could break your site.
Wrapping Up
In this blog post, we have shown you how to disable WP REST API completely or partially using different methods. We have also explained the pros and cons of each method and helped you choose the best one for your situation.
To recap, here are the main points of this blog post:
- WP REST API is an interface that lets you access and manipulate WordPress data from outside the WordPress installation itself.
- You might want to disable WP REST API for security, performance, or privacy reasons.
- You can disable WP REST API using a plugin, code snippets, or .htaccess file.
- Each method has its own advantages and disadvantages, depending on your needs and preferences.
We hope this blog post has been helpful and informative for you.