With REST API, you can connect your WordPress site to third-party services and apps. Unfortunately, this connection can make your site vulnerable to attacks. Therefore, you may be looking for a way to disable WordPress REST API.
The process is easier than you might think. You can simply use a plugin to disable it or add a piece of code to your site. This will help protect your site against common cyber crimes, like brute-force attacks.
In this post, we’ll take a closer look at 🔎 the WordPress REST API and why you might want to disable it. Then, we’ll show you two ways to do it. Let’s get started!
What is the REST API?
The WordPress REST API is a tool that enables developers to integrate WordPress into third-party web applications. They can do this remotely, without the need to log into the website.
👉 To get a better understanding of how it works, let’s look at its two main components:
- Application Programming Interface (API). This is a program that enables two applications to communicate with one another.
- Representational State Transfer (REST). This is a set of guidelines that developers must follow when creating APIs. These include things like using cacheable data and enabling the website and server to function independently of one another.
Therefore, a REST API is an interface that is designed with these standards in mind. With this API, other apps are able to access the WordPress database to fetch data. In fact, many WordPress plugins use the WordPress REST API to function properly.
The REST API sends and receives data as JSON (JavaScript Object Notation) objects. This means that front-end developers without knowledge of PHP (which is the programming language that WordPress is built on) are still able to work on the content management system.
Why you might want to disable the WordPress REST API
The REST API comes built into WordPress and is readily available. While it can be very useful, it also makes your site susceptible to attacks.
For example, hackers might be able to access your data through the REST API. By default, the interface makes usernames publicly viewable, which can lead to brute-force attacks. This is when hackers try to access your site by using different combinations of passwords and usernames.
The REST API can also make your site vulnerable to Distributed Denial-of-Service (DDOS) attacks. This is when malicious actors attempt to make your site unavailable by overwhelming it with fake traffic.
Even if you’re taking the necessary precautions to keep your site safe, this tool can be resource-heavy and slow down your site. Therefore, if you have no real use for it, you might want to disable WordPress REST API.
How to disable the REST API in WordPress (2 methods)
Now, let’s look at two main ways to disable WordPress REST API, starting with the easier option.
Before you proceed, you might want to make a backup of your site. This way, if you accidentally break your site when disabling the REST API, you can easily restore a copy. Alternatively, you could try this on a staging site first, then push your changes live.
1. Using a plugin 🔌
The easiest way to disable WordPress REST API is with a plugin like Disable REST API. This tool will automatically disable this feature upon activation. However, it also enables you to grant access to some endpoints and allow particular users on your site to use the REST API.
Note that this plugin hasn’t been updated in a long while and may cause compatibility issues with other plugins on your site. Therefore, you’ll want to test it on your staging site first.
You can go ahead and install the plugin on your site. Once you hit Activate, the REST API will be automatically inaccessible to general users on your site.
If you want to allow access to particular users or endpoints only, you can navigate to Settings > Disable REST API:
From the dropdown menu, you can select the user role that will have access to the REST API. Then, you can choose to either give them full access or allow them access to certain endpoints only:
If you select Manage REST API Access, you’ll get a list of all the endpoints on your site:
Using the toggle switch, you can select which endpoints the user will have access to. When you’re ready, click on Save Changes.
2. Using a code snippet 💾
You can also disable WordPress REST API by adding the code to do so manually to your site. While this may sound a little difficult, it’s actually a straightforward process, especially if you use a plugin like Code Snippets to insert the code.
If you already have this plugin on your site, it makes more sense to use the same tool to disable the REST API, rather than installing another plugin. You might also opt for this plugin if you want to have more control over the code that you add to your site.
Once you have Code Snippets set up on your site, go to Snippets > Add New:
Name the snippet “Disable REST API” and paste the following code into the provided box:
add_filter( ‘rest_authentication_errors’, ‘disable_rest_api’ ); function disable_rest_api( $access ) { return new WP_Error( ‘rest_disabled’, __(‘The WordPress REST API has been disabled.’), array( ‘status’ => rest_authorization_required_code())); }So, here’s what the result will look like:
Make sure to select Run snippet everywhere. Then, scroll down to the bottom and click on Save Changes and Activate. This will disable WordPress REST API on your site.
Conclusion 🧐
The WordPress REST API enables you to connect your site with third-party applications. However, this feature can also make your site vulnerable to brute-force attacks and other security threats.
Therefore, if you don’t need it, you might as well disable it.
👉 To recap, here’s how to disable WordPress REST API:
- Use a plugin like Disable REST API to disable it automatically. 🔌
- Add a piece of code manually via the Code Snippets plugin. 💾
Do you have any questions about how to disable WordPress REST API? Let us know in the comments section below!
Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!