The REST API is a powerful feature in WordPress, enabling developers to interact with sites remotely by sending and receiving JSON objects.
However, while this functionality provides a great deal of flexibility, it can also expose sensitive information if not handled properly.
Also read: WordPress Memory Limit: How To Fix PHP Memory Limit
A common security measure taken by WordPress site administrators is to disable the REST API for non-logged users.
This means that unless a user is authenticated and has the appropriate permissions, they cannot access the API endpoints that retrieve, create, update, or delete data on the site.
Disable REST API for Non-Logged Users in WordPress
By limiting API access to logged-in users, site administrators can reduce the potential attack surface for hackers and enhance the overall security of their WordPress site.
This can be achieved by adding custom code in the theme’s functions.php file or through various security plugins available in the WordPress repository.
Simply add the following code:
/**
* Disable REST API for non-logged users.
*
* @param $access
*
* @return mixed|WP_Error
*/
function explainwp_disable_rest_api($access)
{
if (is_user_logged_in()) {
return $access;
}
$errorMessage = 'REST API is disabled!';
if (!is_wp_error($access)) {
return new WP_Error(
'rest_api_disabled',
$errorMessage, [
'status' => rest_authorization_required_code(),
]);
}
$access->add(
'rest_api_disabled',
$errorMessage, [
'status' => rest_authorization_required_code(),
]);
return $access;
}
add_filter('rest_authentication_errors', 'explainwp_disable_rest_api', 99);
If you want to disable WordPress REST API entirely, then read on.
How to Completely Disable REST API in WordPress
The following code is meant to entirely disable WordPress REST API, both for logged-in and non-logged users:
// Disable WP JSON
add_filter(
'rest_authentication_errors',
function ( $access ) {
return new WP_Error(
'rest_disabled',
__( 'Woooppsss.... REST API is disabled on this website.' ),
array(
'status' => rest_authorization_required_code(),
)
);
}
);Frequently Asked Questions (FAQs)
How do I disable REST API access?
To disable access to the REST API for non-authenticated users, you can use the following code:
/**
* Disable REST API for non-logged users.
*
* @param $access
*
* @return mixed|WP_Error
*/
function explainwp_disable_rest_api($access)
{
if (is_user_logged_in()) {
return $access;
}
$errorMessage = 'REST API is disabled!';
if (!is_wp_error($access)) {
return new WP_Error(
'rest_api_disabled',
$errorMessage, [
'status' => rest_authorization_required_code(),
]);
}
$access->add(
'rest_api_disabled',
$errorMessage, [
'status' => rest_authorization_required_code(),
]);
return $access;
}
add_filter('rest_authentication_errors', 'explainwp_disable_rest_api', 99);
To completely disable WP REST API on your WordPress website, you can use this code instead:
// Disable WP JSON
add_filter(
'rest_authentication_errors',
function ( $access ) {
return new WP_Error(
'rest_disabled',
__( 'Woooppsss.... REST API is disabled on this website.' ),
array(
'status' => rest_authorization_required_code(),
)
);
}
);Can REST API be private?
In WordPress, REST API can be set private that allows only authenticated users to access. You can also set role-specific restrictions, such as only Administrator can access the REST API then block other user roles.
