Recently one of our readers asked us, how do I disable the REST API on my WordPress site?
When WordPress Version 4.4 was released, it came with the much anticipated JSON REST API. While it’s great for plugin developers, many site owners may not find it useful at all.
In this article, we will show you how to easily disable the JSON REST API in WordPress.
Why Disable JSON REST API in WordPress?
There is no denying that the API has lots of benefits for WordPress developers. The API makes it super easy to retrieve data using GET requests, which is useful for those building apps with WordPress.
With that said, this could potentially open your website to a new front of DDoS attacks. It can also be resource-intensive and slow down your WordPress website.
Disabling JSON REST API is similar to disabling XML-RPC, which many site admins disable on their WordPress sites just to be on the safe side.
We’ll show you two methods for easily disabling JSON REST API in WordPress. Simply use the quick links below to jump to the method you want to use.
Method 1. Disabling JSON REST API in WordPress with Code (Recommended)
We recommend using the WPCode plugin to disable JSON REST API in WordPress.
Plus, it comes with a built-in code library that includes verified code snippets for popular feature requests like disable REST API, disable XML-RPC, and much more. This prevents you from having to install a bunch of single-use plugins.
Note: The free version of WPCode has everything you need to easily add custom code in WordPress. But, if you want advanced features like a private cloud snippets library, page and device-specific snippets, code revisions, and more, you can upgrade to WPCode Pro.
Once the plugin is activated, go to Code Snippets » Library from your WordPress dashboard.
Then, search for the ‘Disable WordPress REST API’ snippet and click on the ‘Use snippet’ button.
The plugin will then automatically add the code and select the proper insertion method.
All you need to do is toggle the switch from ‘Inactive’ to ‘Active.’
Then, click the ‘Update’ button.
That’s it. Now JSON REST API is disabled on your WordPress site.
Method 2. Disabling JSON REST API in WordPress with a Plugin
The plugin works out of the box and there are no settings for you to configure.
It will now forcibly return an authentication error to any API requests from sources who are not logged into your website.
This will effectively prevent unauthorized requests from using the REST API to get information from your website.
You can test this by visiting http://example.com/wp-json page. Make sure you log out of the WordPress admin area first or switch your browser to incognito mode.
Don’t forget to replace example.com with your own domain name. You will see this message, indicating that REST API requests are blocked.
That’s all, you have successfully disabled unauthorized REST API requests on your WordPress site.
We hope this article helped you learn how to Disable JSON API in WordPress. Security-conscious users may also want to check out these tips on protecting the WordPress admin area or see our expect picks of the best WordPress backup plugins.