With the REST API, you can connect your WordPress site to third-party services and apps. Unfortunately, this connection can leave your site vulnerable to attacks. therefore, you can be Looking for a way to disable WordPress REST API,
This process is easier than you might think. You can simply use a plugin or add a piece of code to your site to disable it. This will help protect your site from common cyber crimes such as brute-force attacks.
What is Rest API?
The WordPress Rest API is a tool that enables developers to integrate WordPress into third-party web applications. They can do it remotely, without having to log in to the website.
To get a better understanding of how it works, let’s take a look at its two main components:
- Application Programming Interface (API), is a program that enables two applications to communicate with each other.
- Representational State Transfer (REST), is a set of guidelines that developers must follow when creating an API. These include things like using cacheable data and enabling the website and server to function independently of each other.
Therefore, REST API is an interface designed keeping these standards in mind. With this API, other apps are able to access the WordPress database to fetch data. In fact, many WordPress plugins use the WordPress REST API in order to function properly.
The REST API sends and receives data in the form of JSON (JavaScript Object Notation) objects. This means that front-end developers without knowledge of PHP (which is the programming language on which WordPress is built) are still able to work on the content management system.
Why would you want to disable the WordPress REST API?
The REST API is built into WordPress and is readily available. Although this can be very useful, it also leaves your site vulnerable to attacks.
For example, hackers may be able to access your data through REST APIs. By default, the interface makes usernames publicly viewable, which can lead to brute-force attacks. This happens when hackers try to access your site using different combinations of passwords and usernames.
REST APIs can also make your site vulnerable to Distributed Denial-of-Service (DDOS) attacks. This happens when malicious actors try to make your site unavailable by injecting fake traffic.
Even if you are taking the necessary precautions to keep your site secure, this tool can still be resource-heavy and slow down your site. So, you might want to disable WordPress REST API if you don’t have any real use for it.
How to disable REST API in WordPress
Now, let’s take a look at the two main ways to disable the WordPress REST API, starting with the easier option.
Before proceeding, you might want to create a backup of your site. This way, if you accidentally break your site while disabling the REST API, you can easily restore a copy. Alternatively, you can try it on a staging site first, then push your changes to live.
- using a plugin
- using a code snippet
1. Using a Plugin
The easiest way to disable the WordPress REST API is with a plugin Disable REST API, This tool will automatically disable this feature when activated. However, it also enables you to grant access to certain endpoints and allow particular users on your site to use the REST API.
Note that this plugin hasn’t been updated for a while and may cause compatibility issues with other plugins on your site. Therefore, you might want to test this on your staging site first,
You can go ahead and install the plugin on your site. once you hit ActiveThe REST API will automatically be inaccessible to normal users on your site.
If you want to allow access only to specific users or endpoints, you can navigate to Adjustment, Disable REST API,
From the dropdown menu, you can select the user role that will have access to the REST API. Then, you can choose to either give them full access or only allow them access to certain endpoints:
If you choose Manage REST API access you’ll get a list of all the endpoints on your site:
Using toggle switches, you can choose which endpoints the user will have access to. When you’re ready, click Save Changes,
2. Using a Code Snippet
You can also disable the WordPress REST API by adding code to do so manually on your site. While it may sound a bit daunting, it’s actually a straightforward process, especially if you use a plugin. code snippets to enter the code.
If you already have this plugin on your site, it makes more sense to use the same tool to disable the REST API, rather than installing another plugin. You can also opt for this plugin if you want more control over the code you want to add to your site.
Once you have the code snippet set up on your site, go to snippets, add new,
Name the snippet “Disable REST API” and paste the following code in the box provided:
add_filter(‘rest_authentication_errors’, ‘disable_rest_api’); function disable_rest_api($access) { return new WP_Error(‘rest_disabled’, __(‘WordPress Rest API has been disabled.’), array(‘status’ => rest_authorization_required_code())); ,
So, the result would look like this:
be sure to select run snippet everywhere, Then, scroll down and click save changes and activate, This will disable WordPress REST API on your site.
Conclusion
The WordPress REST API enables you to connect your site to third-party applications. However, this feature can also make your site vulnerable to brute force attacks and other security threats.
So, if you do not need it, you can also disable it.
In short, here’s how to disable the WordPress REST API:
- Use a plugin like Disable REST API to disable it automatically,
- Add a piece of code manually Via Code Snippets Plugin,
