Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

WordPress Plugin: Disable WP REST API

[ Disable WP REST API ] Welcome to the official homepage for my free WordPress plugin, Disable WP REST API. This page explains what the plugin does, how it works, how to test the plugin, and why anyone would anyone on earth want to disable the REST API, for crying out loud, all explained on this page. If that sounds like you, you’re in the right place.

If you are looking for plugin documentation, visit Disable WP REST API at WordPress.org. There you will find installation steps, support forum, translation tools, and more.

The fast, simple way to prevent abuse of your site’s REST/JSON API

Usage

This plugin does one thing: disables the WP REST API for visitors who are not logged into WordPress. No configuration required. Just activate and done.

Features

This plugin works with only 22 short lines of code (less than 2KB). So it is super lightweight, fast, and effective. More features include:

  • Disable REST/JSON for visitors (not logged in)
  • Disables REST header in HTTP response for all users
  • Disables REST links in HTML head for all users
  • 100% plug-and-play, set-it-and-forget solution

How does it working?

What this plugin does under the hood depends on which version of WordPress you are using. Here is a summary of each:

WordPress v4.7 and beyond

For WordPress 4.7 and better, this plugin completely disables the WP REST API unless the user is logged into WordPress.

  • For logged-in users, WP REST API works normally
  • For logged-out users, WP REST API is disabled

So what happens if logged-out visitor makes a JSON/REST request? They will get only a simple message:

rest_login_required: REST API restricted to authenticated users.

Pro Tipz: This message may customized via the filter hook, disable_wp_rest_api_error.

Older versions of WordPress

For WordPress versions less than 4.7, this plugin simply disables all REST API functionality for all users.

How do I test that REST is disabled?

Testing is easy:

  1. Log out of WordPress
  2. Using a browser, request https://example.com/wp-json/

If you see the following message, REST is disabled:

rest_login_required: REST API restricted to authenticated users.

Then if you log back in and make a new request for https://example.com/wp-json/, you will see that REST is working normally.

FAQs

Here are some questions I’ve received so far:

There already is another “Disable REST” plugin?

Yep, actually there are two other “Disable REST” plugins:

The first of those plugins is awesome and provides a LOT more features and functionality than is required to simply disable REST. And the second plugin was shut down due to lack of use. I wrote my disable-REST plugin because I wanted something super lightweight, fast, and effective. If you are looking for more options and features, then check out the first of those two listed alternatives.

Why would anyone want to disable the REST API?

Technically this plugin only disables REST API for visitors who are not logged in to WordPress. With that in mind, here are some good reasons why someone would want to disable REST API for non-logged users:

  • The REST API may not be needed for non-logged users
  • Disabling the REST API conserves server resources
  • Disabling the REST API minimizes potential attack vectors
  • Disabling the REST API prevents content scraping and plagiarism

I’m sure there are other valid reasons, but you get the idea :)

And yes, I use this plugin on most of my own WordPress-powered sites. It adds another layer of protection against the previously described threats.

How to allow access for Contact Form 7?

As explained in this thread, the plugin Contact Form 7 requires REST API access in order for the contact form to send emails. To allow for this, you can install our free plugin to allow REST access for CF7 (click to download 1 KB ZIP file). Simply install, activate and done. When used together with the Disable WP REST API plugin, the CF7 addon will enable sending emails to work again.

Update 2023/02/25: The CF7 REST addon worked great in previous versions of CF7. But in newer versions there is a bug where success/error messages are not displayed on the form. You can read more about it in this forum post.

Update 2023/02/26: A new technique is available for enabling Contact Form 7 with Disable WP REST API plugin. Check that link for complete tutorial.

Download

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
The Tao of WordPress: Master the art of WordPress.

7 responses to “WordPress Plugin: Disable WP REST API”

  1. Cool, but are/were you aware of the Disable REST API plugin (https://wordpress.org/plugins/disable-json-api/) that basically seems to do the same thing?

    • Jeff Starr 2018/06/11 8:52 am

      Yes, this is covered in the plugin’s FAQ section at WordPress.org. I updated the article above to include the infos here as well. Check it out and let me know if anything isn’t 100% clear, thank you Pieter.

      • Great, thanks!
        Hopefully the plugin will get a few downloads fast as I was just searching for it from within the WP Dashboard and it only became visible on page 2 :(

        Of course this says more about the problematic search system in WP than about the popularity of the plugin, but it’s good to know from a user perspective…
        Cheers!

      • Jeff Starr 2018/06/12 8:21 am

        Part of the search algo takes into account the age of the plugin. So, because this plugin currently is only about 7 days old, it’s no surprise that it’s not on the first page of the search results. Give it time, the plugin will do fine. And even if it doesn’t I really don’t care, because I developed the plugin primarily for my own sites :)

  2. Jim S Smith 2018/06/26 6:22 pm

    Pretty nice idea, Jeff.

    I have found a bit of “function”-code that works with my current theme/template. It seems to do well too, but a usable plug-in sounds like a great fit for those who do not feel confident to “get under the hood”.

    I also use a small bit of .htaccess work:

    RewriteRule /wp-json(/.*|) - [F]

    Being that I do not use REST-API at all, I have no need of it.

    – Also,

    Whenever you are thinking of another IP “bad-list”, I may have a few candidates to add to it? – Though, I am blocking by 16 or 24-bit mask.

    Anyway,

    Will check this new plug-in out.

    – Jim

    • Jeff Starr 2018/06/27 8:20 am

      Thanks Jim, always love a good .htaccess technique, especially if it helps to secure WordPress.

      Definitely would be interested in including your bad IP candidates. Hit me up via my contact form and we can continue from there.

      Thanks Jim!

      • Jim S Smith 2018/07/04 5:49 pm

        Not a problem, friend!

        As a matter of fact,

        I decided to start some serious work on a custom firewall solution. After seeing some of the egregious attempts at my one website (which is, for now, still in “maintenance mode”- pending the finishing touches), I set about working on coding a flexible, “adaptable” firewall (in PHP) that will help flag some of these bad IPs, automatically. I decided to also incorporate the use of “RewriteMap” and its map-file (being that this is for my VPS-hosted website).

        So,

        I am most-willing to share some of my “hacking intelligence” data as it is collected. Again, I am all for a safer internet.

        I will also leave some “thank-you’s” in my coding, for some of the great ideas and suggestions you published. (Not sure how much time you have with VPS’s, but I can honestly say that I have “built” my webserver (twice?!?) from the ground up.) – So, this has been quite a voyage for me.

        Thank you ever so much, for such great websites, and first-rate info! My hands-on practical application of problem-solving skills, especially in PHP, has benefited greatly.

        – Jim

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Blackhole Pro: Trap bad bots in a virtual black hole.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.