Disable REST API for Non-Logged Users in WordPress

Disable Public REST API Requests in WordPress – The REST API is a powerful feature in WordPress, enabling developers to interact with sites remotely by sending and receiving JSON objects.
However, while this functionality provides a great deal of flexibility, it can also expose sensitive information if not handled properly.
Also read: WordPress Memory Limit: How To Fix PHP Memory Limit
A common security measure taken by WordPress site administrators is to disable the REST API for non-logged users.
This means that unless a user is authenticated and has the appropriate permissions, they cannot access the API endpoints that retrieve, create, update, or delete data on the site.
Disable REST API for Non-Logged Users in WordPress
By limiting API access to logged-in users, site administrators can reduce the potential attack surface for hackers and enhance the overall security of their WordPress site.
This can be achieved by adding custom code in the theme’s functions.php file or through various security plugins available in the WordPress repository.
Simply add the following code:
/**
* Restrict REST API access to authenticated users only.
*
* @package Disable_REST_API_Non_Logged_In
*
* Deny REST API access for non-authenticated users.
*
* @since 1.0.0
*
* @param WP_REST_Response|WP_Error $result Result to send to the client.
* @param WP_REST_Server $server Server instance.
* @param WP_REST_Request $request Request used to generate the response.
*
* @return WP_REST_Response|WP_Error Modified result or error object.
*/
function explainwp_disable_rest_api_non_logged_in( $result, $server, $request ) {
// Check if user is not logged in.
if ( ! is_user_logged_in() ) {
return new WP_Error(
'rest_unauthorized',
__( 'You must be logged in to access the REST API.', 'disable-rest-api-non-logged-in' ),
array( 'status' => rest_authorization_required_code() )
);
}
return $result;
}
add_filter( 'rest_authentication_errors', 'explainwp_disable_rest_api_non_logged_in', 10, 3 );
You can also allow specific REST API endpoints to remain accessible using the following code snippet by combining with the above code snippet because we hook it with explainwp_disable_rest_api_non_logged_in
function:
/**
* Allow specific REST API endpoints to remain accessible (optional).
*
* This is an example of how to whitelist certain endpoints, like for public data.
* Uncomment and modify as needed.
*
* @since 1.0.0
*
* @param WP_REST_Response|WP_Error $result Result to send to the client.
* @param WP_REST_Server $server Server instance.
* @param WP_REST_Request $request Request used to generate the response.
*
* @return WP_REST_Response|WP_Error Modified result or error object.
*/
function explainwp_allow_specific_rest_endpoints( $result, $server, $request ) {
// List of allowed endpoints for non-logged-in users.
$allowed_endpoints = array(
'/wp/v2/posts',
'/wp/v2/pages',
);
// Check if the requested endpoint is in the allowed list.
if ( in_array( $request->get_route(), $allowed_endpoints, true ) ) {
return $result;
}
// If not allowed, fallback to the authentication check.
return explainwp_disable_rest_api_non_logged_in( $result, $server, $request );
}
add_filter( 'rest_authentication_errors', 'explainwp_allow_specific_rest_endpoints', 10, 3 );
If you want to disable WordPress REST API entirely, then read on.
How to Completely Disable REST API in WordPress
The following code is meant to entirely disable WordPress REST API, both for logged-in and non-logged users:
add_filter(
'rest_authentication_errors',
function ( $access ) {
return new WP_Error(
'rest_disabled',
__( 'The WordPress REST API has been disabled.' ),
array(
'status' => rest_authorization_required_code(),
)
);
}
);
Frequently Asked Questions (FAQs)
How do I disable REST API access?
To disable access to the REST API for non-authenticated users, you can use the following code:
/**
* Disable REST API for non-logged users.
*
* @param $access
*
* @return mixed|WP_Error
*/
function explainwp_disable_rest_api($access)
{
if (is_user_logged_in()) {
return $access;
}
$errorMessage = 'REST API is disabled!';
if (!is_wp_error($access)) {
return new WP_Error('rest_api_disabled', $errorMessage, ['status' => rest_authorization_required_code(),]);
}
$access->add('rest_api_disabled', $errorMessage, ['status' => rest_authorization_required_code(),]);
return $access;
}
add_filter('rest_authentication_errors', 'explainwp_disable_rest_api', 99);
To completely disable WP REST API on your WordPress website, you can use this code instead:
// Disable WP JSON
add_filter(
'rest_authentication_errors',
function ($access) {
return new WP_Error(
'rest_disabled',
__('Woooppsss.... REST API is disabled on this website.'),
array(
'status' => rest_authorization_required_code(),
)
);
}
);
Can REST API be private?
In WordPress, REST API can be set private that allows only authenticated users to access. You can also set role-specific restrictions, such as only Administrator can access the REST API then block other user roles.