To easily disable the WP REST API on your WordPress website, you can add a simple code snippet to your theme’s functions.php file or create a custom plugin. Here’s how to do it:
Method 1: Add Code to functions.php
- Open your theme’s functions.php file (located in wp-content/themes/your-theme/).
- Add the following code to disable the WP REST API:
// Disable the REST API
add_filter('rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error('rest_disabled', __('The REST API on this site has been disabled.'), array('status' => 403));
}
return $result;
});
This code will disable the REST API for non-logged-in users, preventing unauthorized access.
Method 2: Create a Custom Plugin
- Create a new file in your wp-content/plugins/ directory, for example, disable-rest-api.php.
- Add the following code to the file:
<?php /* Plugin Name: Disable REST API Description: Disables the WordPress REST API for non-logged-in users. Version: 1.0 Author: Your Name */ // Disable the REST API add_filter('rest_authentication_errors', function( $result ) { if ( ! empty( $result ) ) { return $result; } if ( ! is_user_logged_in() ) { return new WP_Error('rest_disabled', __('The REST API on this site has been disabled.'), array('status' => 403));
}
return $result;
});
3. Activate the plugin from the WordPress admin dashboard.
Optional: Completely Disable REST API
If you want to completely disable the REST API, including for logged-in users, you can use the following code snippet instead:
In functions.php
// Completely disable the REST API
add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');
// Remove REST API info from head and headers
remove_action('xmlrpc_rsd_apis', 'rest_output_rsd');
remove_action('wp_head', 'rest_output_link_wp_head', 10);
remove_action('template_redirect', 'rest_output_link_header', 11);
remove_action('auth_cookie_malformed', 'rest_cookie_collect_status');
remove_action('auth_cookie_expired', 'rest_cookie_collect_status');
remove_action('auth_cookie_bad_username', 'rest_cookie_collect_status');
remove_action('auth_cookie_bad_hash', 'rest_cookie_collect_status');
remove_action('auth_cookie_valid', 'rest_cookie_collect_status');
remove_filter('rest_authentication_errors', 'rest_cookie_check_errors', 100);
In a Custom Plugin
- Create a new file in your wp-content/plugins/ directory, for example, disable-rest-api-complete.php.
- Add the following code to the file:
<?php
/*
Plugin Name: Completely Disable REST API
Description: Completely disables the WordPress REST API.
Version: 1.0
Author: Your Name
*/
// Completely disable the REST API
add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');
// Remove REST API info from head and headers
remove_action('xmlrpc_rsd_apis', 'rest_output_rsd');
remove_action('wp_head', 'rest_output_link_wp_head', 10);
remove_action('template_redirect', 'rest_output_link_header', 11);
remove_action('auth_cookie_malformed', 'rest_cookie_collect_status');
remove_action('auth_cookie_expired', 'rest_cookie_collect_status');
remove_action('auth_cookie_bad_username', 'rest_cookie_collect_status');
remove_action('auth_cookie_bad_hash', 'rest_cookie_collect_status');
remove_action('auth_cookie_valid', 'rest_cookie_collect_status');
remove_filter('rest_authentication_errors', 'rest_cookie_check_errors', 100);
3. Activate the plugin from the WordPress admin dashboard.
By following any of these methods, you will disable the WP REST API on your website, enhancing security and reducing potential attack vectors.