Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Disable JSON REST API in WordPress

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Recently one of our readers asked us, how do I disable the REST API on my WordPress site?

When WordPress Version 4.4 was released, it came with the much anticipated JSON REST API. While it’s great for plugin developers, many site owners may not find it useful at all.

In this article, we will show you how to easily disable the JSON REST API in WordPress.

Disable JSON REST API in WordPress

Why Disable JSON REST API in WordPress?

There is no denying that the API has lots of benefits for WordPress developers. The API makes it super easy to retrieve data using GET requests, which is useful for those building apps with WordPress.

With that said, this could potentially open your website to a new front of DDoS attacks. It can also be resource-intensive and slow down your WordPress website.

Disabling JSON REST API is similar to disabling XML-RPC, which many site admins disable on their WordPress sites just to be on the safe side.

We’ll show you two methods for easily disabling JSON REST API in WordPress. Simply use the quick links below to jump to the method you want to use.

Method 1. Disabling JSON REST API in WordPress with Code (Recommended)

We recommend using the WPCode plugin to disable JSON REST API in WordPress.

WPCode

WPCode makes it safe and easy to add custom code in WordPress, without editing your theme’s functions.php file. That way, there’s no risk of making an error and breaking your site.

Plus, it comes with a built-in code library that includes verified code snippets for popular feature requests like disable REST API, disable XML-RPC, and much more. This prevents you from having to install a bunch of single-use plugins.

To get started, you need to install and activate the free WPCode plugin. For step by step instructions, read our guide on how to install a WordPress plugin.

Note: The free version of WPCode has everything you need to easily add custom code in WordPress. But, if you want advanced features like a private cloud snippets library, page and device-specific snippets, code revisions, and more, you can upgrade to WPCode Pro.

Once the plugin is activated, go to Code Snippets » Library from your WordPress dashboard.

Then, search for the ‘Disable WordPress REST API’ snippet and click on the ‘Use snippet’ button.

Select the Disable WordPress REST API in WPCode

The plugin will then automatically add the code and select the proper insertion method.

WPCode automatically adds the Disable JSON REST API snippet

All you need to do is toggle the switch from ‘Inactive’ to ‘Active.’

Then, click the ‘Update’ button.

Switch the code snippet to Active and click Update in WPCode

That’s it. Now JSON REST API is disabled on your WordPress site.

Method 2. Disabling JSON REST API in WordPress with a Plugin

The first thing you need to do is install and activate the Disable REST API plugin. For more details, see our step by step guide on how to install a WordPress plugin.

The plugin works out of the box and there are no settings for you to configure.

It will now forcibly return an authentication error to any API requests from sources who are not logged into your website.

This will effectively prevent unauthorized requests from using the REST API to get information from your website.

You can test this by visiting http://example.com/wp-json page. Make sure you log out of the WordPress admin area first or switch your browser to incognito mode.

Don’t forget to replace example.com with your own domain name. You will see this message, indicating that REST API requests are blocked.

REST API Disabled

That’s all, you have successfully disabled unauthorized REST API requests on your WordPress site.

We hope this article helped you learn how to Disable JSON API in WordPress. Security-conscious users may also want to check out these tips on protecting the WordPress admin area or see our expect picks of the best WordPress backup plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

37 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. RJW says

    I’d try the disable plugin in Dev environment before production, I found installing it broke some features

    • WPBeginner Support says

      If you have many different plugins and tools and have a testing environment then it would definitely be good to test new plugins and how they interact with your site.

      Admin

  3. Ricky says

    Similar to an above commenter, I’ve noticed the “wp-json” request when using Pingdom and other testing sites. Unfortunately, mine takes over 10 seconds (Yes really!!) to load it. This pushes my overall website load time and I can’t figure out how to fix this. The plugin doesn’t change it at all. Any suggestions?

  4. Janice says

    How do I know if I actually have JSON API on my website?
    This article about removing it is good – if I need it – but I have often been alarmed by certain warnings only to find that they’ve not even applicable to me.

  5. Logan Cale says

    I hate adding yet another plugin to do a simple tasks, and I found that we can disable this functionality by adding the following code snippet to the functions.php file.

    add_filter(‘rest_enabled’, ‘_return_false’);
    add_filter(‘rest_jsonp_enabled’, ‘_return_false’);

  6. J.L. says

    Is this just for self hosted blogs or including free blog sites? Per mostly all plug ins…etc are done for you when you’re not self hosted

    PS I’m not subscribing…just want a response

  7. Elaine says

    How can I check if my site has Rest API. I turned off a lot of extras when I first set it up but now don’t know where to look to see if it’s there. Not keen to download a plugin unnecessarily.

    • WPBeginner Support says

      Hey Elaine,

      You can check if rest is api is enabled on your site by visiting the url like this example.com/wp-json. Make sure you are signed out of WordPress before doing that. If you see lots of information in plain text, then this means REST API is enabled on your site. Follow the above instructions to turn it off

      Admin

  8. Ken Dowling says

    Is disabling REST API suitable for e-commerce sites such as WooCommerce? My understanding is that WooCommerce uses REST-API quite a bit.

    Further, my buyers do not have to login to buy, so what happens to the transaction when a REST API call is rejected?

    Regards, Ken

  9. D. Joe Chaffin says

    Plug-in makes no difference for me in WP 4.7.2. With the plugin activated or disabled, the example.com/wp-json (with my domain replacing “example”) pages gives a massive list of settings for my site.

    • D. Joe Chaffin says

      Hmmmm. Now that I look at it, I only see the list in Safari, while Chrome and Firefox for Mac show the expected message specified in this post.

    • WPBeginner Support says

      Hi,

      Make sure you are logged out of WordPress admin area or use incognito mode before testing the example.com/wp-json page. The plugin disables access to the page only for unauthorized users. As an administrator you will still be able to see it.

      Admin

  10. Audra Carpenter says

    Hey Guys,

    First off thanks so much for what you do! I’ve learned so much about WordPress from you and sent a ton of folks your way!!

    Ok, I installed the plugin, but I am not seeing what you suggest above? I have a full screen of information…?

    Thoughts?

    Thanks!

  11. Treasure says

    I followed these steps, but when I went to check it with the example etc., I got 2 pages of code, not the response showed above. Hmmm, don’t know what to do.

  12. Doug Nix says

    When I ran the test I think it failed, as I got a boatload of data on screen. Any idea what might have not worked? I installed the plugin as described…

    • Doug Nix says

      Works perfectly when I check using an incognito window. Thanks for the explanation regarding authorised vs unauthorised or anonymous users.

  13. Karl says

    Thanks for the tip as well as for the hook to disable XMLRPC.
    Is there a chance for a filter hook for the REST API as well?

  14. Andrew says

    When I check the speed of my site using pingdom.com, the first html entry that tried to load shows the link as mydomain.com/wp-json and it has over 2 seconds of “wait” time. Is this the same as what this article is talking about? I’m hesitant to simply disable it since I would assume it will be used in the future. Any idea why it would add a 2+ second delay to loading anything on the page?

  15. Stephen Cronin says

    Hmm, the REST API is going to become the standard way for plugins and themes to make Ajax calls back to the server from the front end, replacing admin-ajax, so I wouldn’t be disabling it… Hopefully they will fail gracefully, but you will almost end up missing some functionality.

    Also, if you really want to protect against DDoS attacks, you better disable html as well! ;)

    • reza says

      ver 50,000 WordPress websites have been hacked due to a major security vulnerability that was discovered in the WordPress REST API.

      • Jim S Smith says

        OUCH!

        That’s disturbing to know. I have noticed a LOT of access attempts in my site’s logs.

        What’s more,

        I think the folks at WordPress could have done a little better in letting the users decide how much, if at all, they want the REST API exposed.

        Again,

        More of this, “The developers know MORE about the user’s needs than the user does!” – I also was not too happy about being forced to support EMOJI and remote-loaded fonts from fonts.google.com, even though my sites do not use them!

        The REST API may be a boon for (some) actual web-application developers, but what about the rest of us who will not very likely use this? ? ?

  16. Kasey says

    How likely is it that a plugin will be using this functionality. Just for example would contact forms be utilizing this? Not keen on turning it off in case it breaks anything.

Leave a Reply to D. Joe Chaffin Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.