The WordPress REST API provides endpoints for WordPress data types. This allows developers to interact with sites remotely by sending and receiving JSON objects. However, most website owners do not need these features, and it may be smarter to disable the WordPress JSON REST API.
No one can deny the benefits that this API brings to WordPress developers. Simply put, it allows developers to retrieve data very easily using GET requests. This functionality is very useful if you are building apps within WordPress.
With that being said, even though this is useful for developers, most website owners do not need it at all. As a matter of fact, it could actually open up your WordPress website to DDoS attacks. It can also be very resource-heavy and slow down your site.
A slow website is not something you want, especially after you have taken so many measures to speed it up and keep it optimized.
Let’s take a look at what the WordPress REST API is and then I will show you how you can easily disable it using a solid WordPress API plugin.
What is WordPress Rest API?
The language for this is actually complicated. That being said, as simply as I can put it, the WordPress Rest API is a developer-oriented feature in WordPress.
It provides data access to the content of your site, and implements the same authentication restrictions. You see, content that is public on your website is generally publicly accessible via the REST API.
However, other types of content, like private content, are only available with authentication or if you specifically set it to be so. This type of private content includes:
- Private Content
- Password-Protected Content
- Internal Users
- Custom Post Types
So, if you are not a developer, think of it more like this. The API enables the block editor and modern plugin interfaces without compromising the security or privacy of your site.
Why You Should You Disable REST API for JSON in WordPress
While the WordPress REST API is pretty great, there is one huge problem that stands out. By default, it leaves usernames of anyone who has published content on your website open for people to see.
Allowing this kind of information to be readily visible may not be something you want. Why? The main issue revolves around hackers starting to guess passwords against all the usernames on your WordPress website.
This is known as a brute force attack.
Usually, your users will be using secure passwords and not accessing the website over an unsecured network. However, there is undoubtedly always a user somewhere using “admin” as a username and “admin1111” as a password.
You probably don’t want even the secure usernames to be readily available.
You can disable the WP-JSON REST API using some code and adding it into the functions.php file of your WordPress site. However, we are going to go over a much easier way to disable the JSON REST API using a great plugin.
Let’s take a look at the plugin we are going to use to disable WP-JSON and then we will install it and make sure it is running correctly, together.
The process is similar to enabling or disabling XMLRPC.PHP in WordPress, which many site admins disable in WordPress just to be on the safe side.
Disable REST API
The Disable REST API plugin is the most comprehensive and complete plugin available for controlling access points to the WordPress REST API. The plugin is lightweight and very easy to use.
It acts as a «set it and forget it» type of plugin, as the only settings available will be checkboxes next to your website items. Upon activation, the plugin automatically ensures that the entire REST API is protected from non-authenticated users.
You can use the main settings page to specify which endpoints should be allowed to behave as normal by simply checking on the boxes you want.
Let’s take a look at getting the plugin installed and activated.
Install and Activate the Plugin
Before you can successfully disable the JSON REST API, you first need to install and activate the plugin. You can do this from the WordPress admin dashboard of your website. Simply go to the plugins page and search it by name.
Once the plugin has been installed and activated, click on Settings > Disable REST API to head over to the main settings page for the plugin.
You will see this located in the left side menu area of your admin dashboard.
Let’s take a look at the plugin setup together and see what it takes to get it functioning correctly.
Disabling JSON REST API in WordPress
At this point you should be on the main settings page for the Disable REST API plugin. You can see that this is all there is to it. You have activated the plugin, so by default it is automatically working and protecting the entire REST API from users who are not authenticated.
That being said, oftentimes you will have plugins, services, and apps running on your site that utilize the REST API function. It is for this reason you might not want to disable the whole thing.
By using the checkbox layout that is on the settings page, you can pick and choose which applications, tools, and plugins you want using the REST API.
The number of checkboxes available and the amount will be directly connected to everything you are running on your WordPress website. So the more you have, the longer the list will be.
When you are finished click on the “Save” button to make sure all your selections take hold.
That’s it! You are now running the plugin set up how you want and have successfully disabled the REST API for JSON in WordPress.
Oftentimes it can be difficult to find a proper balance between the functionality that you want and the security that you need. Every website is different, and they come with different needs and different setups. It is a good idea to assess your website’s particular needs. This will help you make a decision on whether or not you want to disable the JSON REST API on your website.
It never hurts to do a security audit either. There are a lot of ways you can go about this, but overall, WordPress website security is always important. Make sure you have done everything you need to ensure that your website is secure and protected in every way. This means adding an SSL and working down from there.
If you aren’t sure which way to go with this, then you should contact your website developer and ask. You can also take a look at plugins that use the WordPress REST API as well. This may help you make a better decision since you can pick and choose what you want to disable through the plugin we used in this tutorial.
Have you been successful at tackling this issue without your website developer? Did you find that the plugin was easy to install and use right away?