How to disable WordPress REST API

Posted in Tutorials

Tweet This Share on Facebook Bookmark on Delicious Digg this Submit to Reddit

The latest version of WordPress (4.7 is an example as of this writing) enables the WordPress REST API by default.   As shown in our previous tutorial, this enables third party sites to retrieve data from your site via an URL.  Not only that, with proper authentication, it can do posts.  While an username and password is required for posting, enabling this via an URL makes it easier to apply brute-force method to try many passwords.   It also defeats the purpose of two-factor authentication.

Furthermore, brute-force methods now no longer need to guess both the username and passwords.  It only needs to guess the latter, because the REST API reveals the list of username simply by putting in this after your domain name in a browser…

/wp-json/wp/v2/users

This is information that is not normally publicly displayed on the site, yet the REST API reveals it.

For these reasons, some people believe that having the REST API enable increase the attack vector surface area making site less secure.  Others believe that it is not a security issue and disabling the REST API may break functionality in certain themes and plugins, as the REST API is not part of WordPress core and is relied on by themes and plugins.

The some tutorials may say that you can disable the REST API by adding json_enabled filters in theme’s functions.php file.

However, it no longer works in version 4.7 of WordPress.

So your other options are to use a plugin to disable it. There are security plugins (iThemes Security is one) that have option to let you turn off REST API.

However, the one that is specifically built to disable the REST API is “Disable REST API” plugin.  When activated, you get this error message when navigating to a REST API endpoint…

disable rest api

To test, make sure it you are logged out.  if you are logged in, the REST API continues to work.