WordPress Plugin: Disable WP REST API

[ Disable WP REST API ] Welcome to the official homepage for my free WordPress plugin, Disable WP REST API. This page explains what the plugin does, how it works, how to test the plugin, and why anyone would want to disable the REST API, for crying out loud, all explained on this page. If that sounds like you, you’re in the right place.

If you are looking for plugin documentation, visit Disable WP REST API at WordPress.org. There you will find installation steps, support forum, translation tools, and more.

Download Disable WP REST API »

The fast, simple way to prevent abuse of your site’s REST/JSON API

Usage

This plugin does one thing: disables the WP REST API for visitors who are not logged into WordPress. No configuration required. Just activate and done.

Features

This plugin works with only 22 short lines of code (less than 2KB). So it is super lightweight, fast, and effective. More features include:

  • Disable REST/JSON for visitors (not logged in)
  • Disables REST header in HTTP response for all users
  • Disables REST links in HTML head for all users
  • 100% plug-and-play, set-it-and-forget solution

How does it working?

What this plugin does under the hood depends on which version of WordPress you are using. Here is a summary of each:

WordPress v4.7 and beyond

For WordPress 4.7 and better, this plugin completely disables the WP REST API unless the user is logged into WordPress.

  • For logged-in users, WP REST API works normally
  • For logged-out users, WP REST API is disabled

So what happens if logged-out visitor makes a JSON/REST request? They will get only a simple message:

rest_login_required: REST API restricted to authenticated users.

Pro Tipz: This message may customized via the filter hook, disable_wp_rest_api_error.

Older versions of WordPress

For WordPress versions less than 4.7, this plugin simply disables all REST API functionality for all users.

How do I test that REST is disabled?

Testing is easy:

  1. Log out of WordPress
  2. Using a browser, request https://example.com/wp-json/

If you see the following message, REST is disabled:

rest_login_required: REST API restricted to authenticated users.

Then if you log back in and make a new request for https://example.com/wp-json/, you will see that REST is working normally.

FAQs

Here are some questions I’ve received so far:

There already is another “Disable REST” plugin?

Yep, actually there are two other “Disable REST” plugins:

The first of those plugins is awesome and provides a LOT more features and functionality than is required to simply disable REST. And the second plugin was shut down due to lack of use. I wrote my disable-REST plugin because I wanted something super lightweight, fast, and effective. If you are looking for more options and features, then check out the first of those two listed alternatives.

Why would anyone want to disable the REST API?

Technically this plugin only disables REST API for visitors who are not logged in to WordPress. With that in mind, here are some good reasons why someone would want to disable REST API for non-logged users:

  • The REST API may not be needed for non-logged users
  • Disabling the REST API conserves server resources
  • Disabling the REST API minimizes potential attack vectors
  • Disabling the REST API prevents content scraping and plagiarism

I’m sure there are other valid reasons, but you get the idea :)

And yes, I use this plugin on most of my own WordPress-powered sites. It adds another layer of protection against the previously described threats.

Download

Download Disable WP REST API »