WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Tutorials» How to Disable JSON REST API in WordPress

How to Disable JSON REST API in WordPress

Last updated on November 14th, 2020 by Editorial Staff
194 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
How to Disable JSON REST API in WordPress

WordPress 4.4 added the much anticipated JSON REST API. It is great for plugin developers, but many site owners may not find it useful at all. In this article, we will show you how to easily disable the JSON REST API in WordPress.

Disable JSON REST API in WordPress

Why You Need to Disable JSON REST API in WordPress?

There is no denying that the API will bring lots of benefits for WordPress developers. The API makes it super easy to retrieve data using GET requests, which is useful for those building apps with WordPress.

However, most site owners may not be needing those features at all.

Having that said, this could potentially open your website to a new front of DDoS attacks. It can be resource intensive and slow down your website.

It is similar to disabling XML-RPC, which many site admins disable on their WordPress sites just to be on the safe side.

Disabling JSON REST API in WordPress

First thing you need to do is install and activate the Disable REST API plugin. For more details, see our step by step guide on how to install a WordPress plugin.

The plugin works out of the box and there are no settings for you to configure.

It will now forcibly return an authentication error to any API requests from sources who are not logged into your website.

This will effectively prevent unauthorized requests from using the REST API to get information from your website.

You can test this by visiting http://example.com/wp-json page. Make sure you logout of WordPress admin area first or switch your browser to incognito mode.

Don’t forget to replace example.com with your own domain name. You will see this message, indicating that REST API requests are blocked.

REST API Disabled

That’s all, you have successfully disabled unauthorized REST API requests on your WordPress site.

We hope this article helped you learn how to Disable JSON API in WordPress. Security conscious users may also want to checkout these tips on protecting WordPress admin area.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Google+.

194 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

34 Comments

Leave a Reply
  1. Ricky says:
    May 25, 2017 at 10:19 am

    Similar to an above commenter, I’ve noticed the “wp-json” request when using Pingdom and other testing sites. Unfortunately, mine takes over 10 seconds (Yes really!!) to load it. This pushes my overall website load time and I can’t figure out how to fix this. The plugin doesn’t change it at all. Any suggestions?

    Reply
  2. Janice says:
    Mar 1, 2017 at 9:22 pm

    How do I know if I actually have JSON API on my website?
    This article about removing it is good – if I need it – but I have often been alarmed by certain warnings only to find that they’ve not even applicable to me.

    Reply
    • WPBeginner Support says:
      Mar 2, 2017 at 1:01 am

      Hey Janice,

      If you are using a self-hosted WordPress.org site, then you do have JSON REST API available on your website.

      Reply
  3. Logan Cale says:
    Feb 17, 2017 at 11:52 am

    I hate adding yet another plugin to do a simple tasks, and I found that we can disable this functionality by adding the following code snippet to the functions.php file.

    add_filter(‘rest_enabled’, ‘_return_false’);
    add_filter(‘rest_jsonp_enabled’, ‘_return_false’);

    Reply
    • Margarit Koka says:
      Apr 11, 2017 at 1:36 pm

      Thank you bro, your answer is what I was looking when visiting this page.

      Reply
    • Bobby C. says:
      Nov 28, 2017 at 10:32 am

      Thank you! Straight to the point.

      Reply
    • Hari says:
      Jan 30, 2019 at 5:49 am

      I was looking for this code, it worked, thanks, I don’t prefer adding plugins.

      Reply
  4. Michael says:
    Feb 16, 2017 at 5:08 pm

    Thanks for your help. There is no ‘add new’ option in my plugins.

    Reply
    • WPBeginner Support says:
      Feb 17, 2017 at 9:10 pm

      You are probably using WordPress.com. Please see our guide on the difference between self hosted WordPress.org vs free WordPress.com blog.

      Reply
  5. Lynne says:
    Feb 16, 2017 at 4:52 pm

    Thank you! Spot on :) worked for me

    Reply
  6. J.L. says:
    Feb 15, 2017 at 3:30 pm

    Is this just for self hosted blogs or including free blog sites? Per mostly all plug ins…etc are done for you when you’re not self hosted

    PS I’m not subscribing…just want a response

    Reply
    • WPBeginner Support says:
      Feb 16, 2017 at 10:21 am

      This is for self hosted WordPress.org sites only.

      Reply
  7. Elaine says:
    Feb 15, 2017 at 11:31 am

    How can I check if my site has Rest API. I turned off a lot of extras when I first set it up but now don’t know where to look to see if it’s there. Not keen to download a plugin unnecessarily.

    Reply
    • WPBeginner Support says:
      Feb 16, 2017 at 10:28 am

      Hey Elaine,

      You can check if rest is api is enabled on your site by visiting the url like this example.com/wp-json. Make sure you are signed out of WordPress before doing that. If you see lots of information in plain text, then this means REST API is enabled on your site. Follow the above instructions to turn it off

      Reply
  8. Saransh Jain says:
    Feb 15, 2017 at 12:31 am

    What about the option to disable json rest api in Jetpack plugin?

    Reply
  9. Ken Dowling says:
    Feb 14, 2017 at 6:32 pm

    Is disabling REST API suitable for e-commerce sites such as WooCommerce? My understanding is that WooCommerce uses REST-API quite a bit.

    Further, my buyers do not have to login to buy, so what happens to the transaction when a REST API call is rejected?

    Regards, Ken

    Reply
  10. D. Joe Chaffin says:
    Feb 14, 2017 at 5:28 pm

    Plug-in makes no difference for me in WP 4.7.2. With the plugin activated or disabled, the example.com/wp-json (with my domain replacing “example”) pages gives a massive list of settings for my site.

    Reply
    • D. Joe Chaffin says:
      Feb 14, 2017 at 5:52 pm

      Hmmmm. Now that I look at it, I only see the list in Safari, while Chrome and Firefox for Mac show the expected message specified in this post.

      Reply
    • WPBeginner Support says:
      Feb 14, 2017 at 8:17 pm

      Hi,

      Make sure you are logged out of WordPress admin area or use incognito mode before testing the example.com/wp-json page. The plugin disables access to the page only for unauthorized users. As an administrator you will still be able to see it.

      Reply
      • D. Joe Chaffin says:
        Feb 14, 2017 at 9:46 pm

        Embarrassed… You are right, of course.

        Reply
  11. Audra Carpenter says:
    Feb 14, 2017 at 1:25 pm

    Hey Guys,

    First off thanks so much for what you do! I’ve learned so much about WordPress from you and sent a ton of folks your way!!

    Ok, I installed the plugin, but I am not seeing what you suggest above? I have a full screen of information…?

    Thoughts?

    Thanks!

    Reply
    • WPBeginner Support says:
      Feb 14, 2017 at 8:22 pm

      Hi Audra,

      Please logout or use incognito window to test. The plugin only disables access for non-logged in users.

      Reply
  12. Treasure says:
    Feb 14, 2017 at 1:03 pm

    I followed these steps, but when I went to check it with the example etc., I got 2 pages of code, not the response showed above. Hmmm, don’t know what to do.

    Reply
    • Treasure says:
      Feb 14, 2017 at 1:45 pm

      Alright, I did it again and got the right message. Thanks!

      Reply
  13. Doug Nix says:
    Feb 14, 2017 at 11:49 am

    When I ran the test I think it failed, as I got a boatload of data on screen. Any idea what might have not worked? I installed the plugin as described…

    Reply
    • Doug Nix says:
      Feb 15, 2017 at 8:00 am

      Works perfectly when I check using an incognito window. Thanks for the explanation regarding authorised vs unauthorised or anonymous users.

      Reply
  14. Laura Zielke says:
    Feb 14, 2017 at 11:44 am

    Worked perfectly. Thank you!

    Reply
  15. Karl says:
    Feb 7, 2017 at 5:11 pm

    Thanks for the tip as well as for the hook to disable XMLRPC.
    Is there a chance for a filter hook for the REST API as well?

    Reply
  16. Andrew says:
    Jan 29, 2016 at 7:06 pm

    When I check the speed of my site using pingdom.com, the first html entry that tried to load shows the link as mydomain.com/wp-json and it has over 2 seconds of “wait” time. Is this the same as what this article is talking about? I’m hesitant to simply disable it since I would assume it will be used in the future. Any idea why it would add a 2+ second delay to loading anything on the page?

    Reply
  17. Stephen Cronin says:
    Jan 7, 2016 at 6:05 pm

    Hmm, the REST API is going to become the standard way for plugins and themes to make Ajax calls back to the server from the front end, replacing admin-ajax, so I wouldn’t be disabling it… Hopefully they will fail gracefully, but you will almost end up missing some functionality.

    Also, if you really want to protect against DDoS attacks, you better disable html as well! ;)

    Reply
    • reza says:
      Feb 14, 2017 at 12:03 pm

      ver 50,000 WordPress websites have been hacked due to a major security vulnerability that was discovered in the WordPress REST API.

      Reply
      • Jim S Smith says:
        Jun 30, 2017 at 3:26 pm

        OUCH!

        That’s disturbing to know. I have noticed a LOT of access attempts in my site’s logs.

        What’s more,

        I think the folks at WordPress could have done a little better in letting the users decide how much, if at all, they want the REST API exposed.

        Again,

        More of this, “The developers know MORE about the user’s needs than the user does!” – I also was not too happy about being forced to support EMOJI and remote-loaded fonts from fonts.google.com, even though my sites do not use them!

        The REST API may be a boon for (some) actual web-application developers, but what about the rest of us who will not very likely use this? ? ?

        Reply
  18. Kasey says:
    Jan 7, 2016 at 7:28 am

    How likely is it that a plugin will be using this functionality. Just for example would contact forms be utilizing this? Not keen on turning it off in case it breaks anything.

    Reply
    • WPBeginner Support says:
      Jan 7, 2016 at 10:49 am

      The plugins will most likely notify you if they will be using it and you have it turned off.

      Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
Smash Balloon
Smash Balloon
Add Custom Social Media Feeds in WordPress. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2020 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2020)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2020)
    • SiteGround Reviews from 4196 Users & Our Experts (2020)
    • Bluehost Review from Real Users + Performance Stats (2020)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2020 – Step by Step Guide
Deals & Coupons (view all)
Churnly Coupon
Get 30% OFF on Churnly WordPress automated churn-busting plugin.
AccessPress Themes
AccessPress Themes Coupon
Get 15% off on AccessPress Themes collection of premium WordPress themes and plugins.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).
Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress CDN by MaxCDN | WordPress Security by Sucuri.