How to Disable the JSON REST API in WordPress

Thanks to its flexibility and ease of use, the WordPress content management system (CMS) has become the most used platform for website creation. Its features are constantly being improved, and an ever-growing number of users, regardless of their programming experience, are given a chance to create a website. However, as a result of its constant improvement, some of the WordPress features are less known to the general WordPress community and, instead, are used mostly by developers. In this article, we will shine a light on one of those features—the JSON REST API in WordPress. We will discuss what it is and whether you should disable it, as well as the steps you need to take to do that.

Why you may want to disable JSON REST API in WordPress

The WordPress JSON REST API is a developer-oriented feature that was introduced in the WordPress 4.4 update that still sparks controversy. REST or Representational State Transfer is a type of software architecture that is commonly used for creating interactive Web services. More precisely, it turns your website into an available web service. This means other applications or web services can extract some information available on your website by sending specific HTTP GET requests. The WordPress REST API relies entirely on structured JSON data, which is why some call it the JSON REST API. An example of JSON data, although unformatted, is shown below. This data is displayed when accessing the so-called REST API root route, created by adding /wp-json to the end of your website’s URL.

Despite unformatted JSON data being hard to read, it still poses a security risk because some WordPress or user-related data could be publicly accessible by navigating to specific REST API routes. For example, by accessing the /wp-json/wp/v2/users route, you can access the user-related data of a certain website. Even though you can’t retrieve the passwords of website users this way, simply knowing the usernames leaves the website vulnerable to brute-force attacks. Because of this, some WordPress users opt to disable the WordPress REST API. However, we advise gathering more information before you make your call.

It is important to understand that as the WordPress core files were updated and became more polished, the REST API improved as well. As a result, the use of REST API has become an integral part of many plugins and theme functionalities. Therefore, you should consult the authors of your current theme and plugins before disabling the REST API. Otherwise, you risk making some of the functionalities of your theme and plugins useless.

Furthermore, you should be aware that even the current default WordPress editor—Gutenberg—relies on some REST API routes for editing pages and posts. If you are considering disabling REST API and Gutenberg is your preferred editor, you won’t be able to publish or update pages and posts if you go through with the deactivation.

Suffice to say, all this poses a significant issue. A potential solution that doesn’t involve disabling REST API is restricting access to unauthenticated users on a route-by-route basis. We will cover how to do this while explaining how to use a plugin to disable the REST API below. Nevertheless, consulting with your theme and plugin authors is a must before trying to implement any restrictions. This is the only certain way to improve the overall security of your website without harming its functionalities.

How to disable the JSON REST API in WordPress

Now that you understand why someone might want, fully or partially, to disable the JSON REST API in WordPress, let’s explain how it can be done. In the sections below, we will cover two possible methods—using a WordPress plugin or using custom code.

Using a plugin

There are a multitude of WordPress plugins on the market, which makes it relatively easy to find a suitable one for almost any purpose. In this case, we found the Disable REST API plugin, which we’ll use to outline the steps below. This plugin is very flexible—it can serve to fully disable REST API or to disable some routes for specific user types only.

To fully disable JSON REST API in WordPress, you only need to install and activate this plugin. This will disallow access to all JSON REST API routes to unauthenticated users by default.

This plugin also offers the possibility to partially allow or disallow REST API access. More precisely, it allows you to specify which routes can be accessed by unauthenticated users or users with specific user roles. To set this, navigate to Settings > Disable REST API. Then choose the appropriate user type with the Rules for: option and set the rules you want in the Manage Rules section below.

To clarify, these rules allow or disallow the use of certain REST API routes. And those routes represent parts of the URL that you can attach to the REST API root URL (your-website-url/wp-json/) to get a specific type of data. In some cases, parts of those routes can include regular expressions. You can see examples of this in the screenshot above.

With that being said, you can choose to set rules for unauthenticated users, as well as users of any user roles that are available on the website. Once you’ve done that, you will get the option to either fully allow REST API access for a given user type or to manually set the access for each available route.

To fully allow REST API access for a given user type, choose the Manage REST API Access option and then toggle the switch next to each of the namespaces or routes available on your website. When you set the options according to your needs, don’t forget to save them by clicking on the Save Changes button at the bottom. After disallowing a route to a certain user type, those users will get an error message when trying to access it. It will look similar to the message shown below.

Using custom code

Most WordPress users tend to opt for the plugin method, as it is the easiest one to implement. But, there is another way of disabling the REST API, and that is by using custom code. The advantages of this method are that you can avoid additional plugins that could potentially slow or cause harm to your website. However, you can completely disable REST API using this method.

The steps for it include placing a small code snippet inside the functions.php file of your theme or within a site-specific plugin. We will show you how to do this using the functions.php file. However, before going any further, we recommend you make a backup of your website. This is both good practice and a good precautionary measure. Once you’ve done that, proceed as described below.

First, you will need to connect to your server using your FTP credentials and navigate to the root WordPress directory, often called public_html.

Then, navigate to the /wp-content/themes directory and click on the directory of your currently active theme to open it. Locate the functions.php file within, right-click on it, and select the View/Edit option from the dropdown menu.

Open the file using your preferred text editor and add the following code at the bottom of it.

function qode_disable_rest_api( $access ) {
return new WP_Error( 'rest_disabled', __( 'The WordPress REST API has been disabled.' ), array( 'status' => rest_authorization_required_code() ) );
}
add_filter( 'rest_authentication_errors', 'qode_disable_rest_api' );

Then, save the changes you made to the file and upload it back to the server, to override its older version there.

After that, check whether everything works as it should by examining one of the JSON REST API routes that are present on your website. If you’ve successfully disabled REST API for your WordPress website, you will get an error message when trying to access that route.

However, keep in mind that this code will disallow access to all REST API routes, unlike the plugin method which provides varied allow/disallow options. Therefore, you need to decide which of these two methods suits your needs better.

Final Thoughts

The WordPress REST API is a very useful, developer-oriented feature that users of all skill levels should get to know. It allows you to quickly interact with the website using appropriate HTTP requests. However, there is an open debate regarding its usefulness as opposed to the potential harm it can cause a website. In this article, we presented some of the points from that debate and covered the ways how you can disable the WordPress REST API. Since the methods that we described are relatively easy, we are confident that you will be able to disable the JSON REST API for your site in minutes.