How to Disable WP REST API: A Beginner’s Guide
Table of Contents
WordPress is a powerful and versatile platform that allows you to create stunning websites and blogs. One of the features that makes WordPress so flexible is the WP REST API, which stands for WordPress Representational State Transfer Application Programming Interface.
The WP REST API is an interface that lets you access and manipulate WordPress data from outside the WordPress installation itself. For example, you can use the WP REST API to create a mobile app, a custom dashboard, or a headless CMS that uses WordPress as the backend.
However, not everyone needs or wants to use the WP REST API. In some cases, you might want to disable it for security, performance, or privacy reasons. For instance, you might want to prevent unauthorized access to your WordPress data, reduce server load, or comply with data protection regulations.
In this blog post, we will show you how to disable WP REST API completely or partially using different methods. We will also explain the pros and cons of each method and help you choose the best one for your situation.
How to Disable WP REST API?

Method 1: Using a Plugin
One of the easiest ways to disable WP REST API is to use a plugin. There are several plugins that can help you do this, such as:
- Disable REST API: This plugin disables the WP REST API for all users who are not logged in. It also removes the REST API link tag from the site header and the HTTP response headers.
- Disable WP REST API: This plugin does one thing: disables the WP REST API for visitors who are not logged into WordPress. No configuration required.
- WP Hardening: This plugin is a comprehensive security solution that includes disabling the WP REST API as one of its features. You can also use it to harden other aspects of your WordPress site, such as file permissions, database security, and login security.
To use any of these plugins, you need to install and activate them from your WordPress dashboard. Then, you need to configure them according to your preferences.
The main advantage of using a plugin is that it is very easy and convenient. You don't need to write any code or modify any files. You can also switch between different plugins if you want to try different features or settings.
The main disadvantage of using a plugin is that it might not be compatible with some themes or plugins that rely on the WP REST API. It might also introduce some bugs or conflicts with other plugins. Moreover, using a plugin adds some overhead to your site performance and maintenance.
Method 2: Using Code Snippets
Another way to disable WP REST API is to use code snippets in your functions.php
file or a custom plugin. This method requires some basic coding skills and access to your WordPress files via FTP or cPanel.
There are different code snippets that can disable WP REST API for all users, specific users, or specific endpoints. Here are some examples:
- To disable WP REST API for all users except administrators, you can use this code snippet:
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! current_user_can( 'manage_options' ) ) {
return new WP_Error( 'rest_forbidden', 'You are not allowed to access the WP REST API.', array( 'status' => rest_authorization_required_code() ) );
}
return $result;
});
- To disable WP REST API for specific endpoints, such as posts or comments, you can use this code snippet:
add_filter( 'rest_endpoints', function( $endpoints ){
if ( isset( $endpoints['/wp/v2/posts'] ) ) {
unset( $endpoints['/wp/v2/posts'] );
}
if ( isset( $endpoints['/wp/v2/comments'] ) ) {
unset( $endpoints['/wp/v2/comments'] );
}
return $endpoints;
});
- To disable WP REST API comp