Do you want to disable the Rest API but don’t know how to do it? Don’t worry; we’ve got you covered.
In this article, we will explain how to disable the Rest API in WordPress and why it’s an essential step for your website’s security.
Did you know that Rest API is one of the most common ways hackers use to gain unauthorized access to a website?
According to Sucuri, a leading website security company, 73% of hacked WordPress websites in 2020 were due to vulnerable plugins and themes, with Rest API being one of the primary vulnerabilities.
If you’re wondering what Rest API is and why disabling it is crucial for your website’s security, then keep reading.
In this article, we’ll provide a step-by-step guide on how to disable Rest API in WordPress and explain why doing so can prevent hackers from exploiting your website’s vulnerabilities.
What is WordPress Rest API?
WordPress Rest API is an interface that allows developers to build web and mobile applications using the WordPress platform’s data.
It enables fetching, updating, and deleting content from remote locations by generating HTTP requests. While it offers numerous benefits, some users may want to disable it for security reasons or other purposes.
Why You Should Disable WordPress REST API
If you’re a WordPress website owner, you may have heard about the REST API feature that allows developers to access site data and perform actions remotely.
While this feature can be useful, it also poses some security risks, which is why many users choose to disable it. Here are some reasons why you should consider doing so:
1. Unauthorized Access: The REST API can provide access to sensitive information such as user data and login credentials. If your site has weak authentication or authorization measures, hackers can exploit vulnerabilities to gain unauthorized access to your site.
2. Brute Force Attacks: With the REST API enabled, attackers can use automated tools to make repeated requests to your site’s API endpoints, attempting to guess valid usernames and passwords. This type of attack can overload your server and compromise your site’s security.
3. DDoS Attacks: Hackers can also use the REST API to launch distributed denial-of-service (DDoS) attacks by overwhelming your site’s server with an excessive number of requests.
To restrict access to the WordPress REST API, you can either use plugins or manually add code to your site’s functions.php file. By disabling the REST API, you can improve your site’s security and protect against potential attacks.
In conclusion, while the WordPress REST API can be a helpful tool for developers, it’s important to weigh the benefits against the security risks. By taking steps to restrict access to the REST API, you can safeguard your site against potential threats and keep your data secure.
How to Disable WordPress Rest API [2 Methods]
If you want to disable the WordPress REST API to improve your website’s security and privacy, there are two methods available. The first method involves using a plugin, and the second method requires modifying your website’s code.
Both methods are easy to follow. By restricting access to the WordPress REST API, you can protect your website from potential security threats.
Method 1: Use a Plugin
If you are concerned about the security of your WordPress website, disabling REST API can be an effective measure. Luckily, it’s relatively simple to accomplish this task using plugins.
In this section, we’ll help you utilize the Disable WP REST API plugin to disable REST API on your website.
All you need to do is to install and activate Disable WP REST API plugin from Plugins → Add New.
That’s it! Once activated, the plugin will automatically block all requests to the REST API on your site for logged-out users.
Using a plugin in WordPress for Rest API restriction access is an easy and effective way to disable REST API on your WordPress site.
You can check if the REST API is actually disabled on your website from this link: yourwebsite.com/wp-json
If this URL shows a 401 error like this, it means the REST API is disabled:
Method 2: Disable WordPress Rest API Without Plugin
In this section, we will cover the method to disable WordPress Rest API without using a plugin. This is an effective way to secure your website and prevent unauthorized access to sensitive data.
Follow these steps to disable WordPress Rest API without a plugin:
STEP 1: Go to Appearance → Theme File Editor.
STEP 2: Open the functions.php file, and paste the following code to the file:
/** Disable REST API **/
// Filters for WP-API version 1.x
add_filter('json_enabled', '__return_false');
add_filter('json_jsonp_enabled', '__return_false');
// Filters for WP-API version 2.x
// add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');
This code blocks unauthenticated REST API requests from non-logged-in users, effectively disabling the API for them. This code also disables wp-json/wp/v2/users known as version 2.x WP API.
STEP 3: Save and Test Your Changes
If everything works correctly, you should receive a 401 Unauthorized error message when accessing the endpoint as a non-logged-in user.
Method 3: Restrict Access to WordPress Rest API
In this section, we’ll discuss how to restrict access to the WordPress Rest API, which can help improve your website’s security.
By restricting access, you can prevent unauthorized requests from accessing your site’s data through the API.
If you add the is_user_logged_in
check to the rest_authentication_errors
filter, you will be able to require authentication for all REST API calls made.
Here’s how you can do it in a few simple steps:
STEP 1: Access the functions.php file.
STEP 2: Paste the following code to the file:
add_filter( 'rest_authentication_errors', function( $result ) {
// If a previous authentication check was applied,
// pass that result along without modification.
if ( true === $result || is_wp_error( $result ) ) {
return $result;
}
// No authentication has been performed yet.
// Return an error if user is not logged in.
if ( ! is_user_logged_in() ) {
return new WP_Error(
'rest_not_logged_in',
__( 'You are not currently logged in.' ),
array( 'status' => 401 )
);
}
// Our custom authentication check should have no effect
// on logged-in requests
return $result;
});
Please note that the incoming callback parameter can bare either, WP_Error
, or a boolean
value. The type of the parameter indicates the state of the authentication process.
1. null: Authentication hasn’t been checked yet, and the hook callback may apply custom authentication.
2. boolean: The authentication method has been checked previously. A true value indicates a successful authentication, while a false value indicates a failed authentication.
3. WP_Error: There was an error.
STEP 3: Check your website to ensure it is working properly.
That’s it! With these simple steps, you have restricted access to the WordPress Rest API, making your website more secure.
Important Note: This method may affect some plugins or themes that rely on the Rest API, so make sure to test your website thoroughly after making this change.
FAQ
Disabling Rest API can help improve your website’s security by preventing unauthorized access to your site’s data and functionality through Rest API requests.
There are several ways to disable Rest API in WordPress, but the easiest method is by using a plugin such as Disable WP REST API, which allows you to easily disable Rest API without any coding.
Disabling Rest API may affect the functionality of some plugins or themes that rely on Rest API requests to function properly. However, most plugins and themes should continue to work normally.
Conclusion
We discussed the importance of disabling Rest API in WordPress to enhance website security and privacy. We went over the step-by-step process of disabling Rest API through various methods. By following these methods, you can easily secure your website from potential threats.
We appreciate you taking the time to read this article and hope it has been helpful to you. If you have any questions or encountered any problems while following the steps mentioned in this article, please feel free to ask us in the comment section below. Our team is always here to help you.
To stay up-to-date with the latest WordPress tutorials and news, be sure to follow BetterStudio on Facebook and Twitter. Our team regularly shares helpful tips and tricks to help website owners optimize their online presence.