To easily disable the WP REST API on your WordPress website, you can add a simple code snippet to your theme’s functions.php file or create a custom plugin. Here’s how to do it:
Method 1: Add Code to functions.php
- Open your theme’s functions.php file (located in wp-content/themes/your-theme/).
- Add the following code to disable the WP REST API:
// Disable the REST API
add_filter('rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error('rest_disabled', __('The REST API on this site has been disabled.'), array('status' => 403));
}
return $result;
});
This code will disable the REST API for non-logged-in users, preventing unauthorized access.
Method 2: Create a Custom Plugin
- Create a new file in your wp-content/plugins/ directory, for example, disable-rest-api.php.
- Add the following code to the file:
<?php /* Plugin Name: Disable REST API Description: Disables the WordPress REST API for non-logged-in users. Version: 1.0 Author: Your Name */ // Disable the REST API add_filter('rest_authentication_errors', function( $result ) { if ( ! empty( $result ) ) { return $result; } if ( ! is_user_logged_in() ) { return new WP_Error('rest_disabled', __('The REST API on this site has been disabled.'), array('status' => 403));
}
return $result;
});
3. Activate the plugin from the WordPress admin dashboard.
Optional: Completely Disable REST API
If you want to completely disable the REST API, including for logged-in users, you can use the following code snippet instead:
In functions.php
// Completely disable the REST API
add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');
// Remove REST API info from head and headers
remove_action('xmlrpc_rsd_apis', 'rest_output_rsd');
remove_action('wp_head', 'rest_output_link_wp_head', 10);
remove_action('template_redirect', 'rest_output_link_header', 11);
remove_action('auth_cookie_malformed', 'rest_cookie_collect_status');
remove_action('auth_cookie_expired', 'rest_cookie_collect_status');
remove_action('auth_cookie_bad_username', 'rest_cookie_collect_status');
remove_action('auth_cookie_bad_hash', 'rest_cookie_collect_status');
remove_action('auth_cookie_valid', 'rest_cookie_collect_status');
remove_filter('rest_authentication_errors', 'rest_cookie_check_errors', 100);
In a Custom Plugin
- Create a new file in your wp-content/plugins/ directory, for example, disable-rest-api-complete.php.
- Add the following code to the file:
<?php
/*
Plugin Name: Completely Disable REST API
Description: Completely disables the WordPress REST API.
Version: 1.0
Author: Your Name
*/
// Completely disable the REST API
add_filter('rest_enabled', '__return_false');
add_filter('rest_jsonp_enabled', '__return_false');
// Remove REST API info from head and headers
remove_action('xmlrpc_rsd_apis', 'rest_output_rsd');
remove_action('wp_head', 'rest_output_link_wp_head', 10);
remove_action('template_redirect', 'rest_output_link_header', 11);
remove_action('auth_cookie_malformed', 'rest_cookie_collect_status');
remove_action('auth_cookie_expired', 'rest_cookie_collect_status');
remove_action('auth_cookie_bad_username', 'rest_cookie_collect_status');
remove_action('auth_cookie_bad_hash', 'rest_cookie_collect_status');
remove_action('auth_cookie_valid', 'rest_cookie_collect_status');
remove_filter('rest_authentication_errors', 'rest_cookie_check_errors', 100);
3. Activate the plugin from the WordPress admin dashboard.
By following any of these methods, you will disable the WP REST API on your website, enhancing security and reducing potential attack vectors.
To use the classic interface instead of the Block Editor to manage widgets in WordPress, you can install the Classic Widgets plugin. This plugin restores the previous widgets settings screen, which uses the traditional interface rather than blocks. Here are the steps to do this:
Method 1: Use the Classic Widgets Plugin
- Go to your WordPress admin dashboard.
- Navigate to Plugins > Add New.
- Search for “Classic Widgets”.
- Click Install Now and then Activate.
This plugin will automatically restore the classic widget interface and disable the Block Editor for widgets.
Method 2: Add Code to functions.php
If you prefer not to use a plugin, you can add a code snippet to your theme’s functions.php file to achieve the same result.
- Open your theme’s functions.php file (located in wp-content/themes/your-theme/).
- Add the following code to disable the Block Editor for widgets and use the classic interface:
// Disable the Block Editor for widgets
add_filter( 'gutenberg_use_widgets_block_editor', '__return_false' );
add_filter( 'use_widgets_block_editor', '__return_false' );
Method 3: Create a Custom Plugin
If you prefer to create a custom plugin to disable the Block Editor for widgets, follow these steps:
- Create a new file in your wp-content/plugins/ directory, for example, disable-block-widgets.php.
- Add the following code to the file:
<?php
/*
Plugin Name: Disable Block Widgets
Description: Disables the Block Editor for widgets and restores the classic interface.
Version: 1.0
Author: Your Name
*/
// Disable the Block Editor for widgets
add_filter( 'gutenberg_use_widgets_block_editor', '__return_false' );
add_filter( 'use_widgets_block_editor', '__return_false' );
3. Activate the plugin from the WordPress admin dashboard.
By following any of these methods, you will restore the classic widget interface in WordPress, allowing you to manage widgets without using the Block Editor.
To hide the WordPress Admin Bar for all users on the frontend of your site, you can add a simple code snippet to your theme’s functions.php file or create a custom plugin. Here are the steps for both methods:
Method 1: Add Code to functions.php
- Open your theme’s functions.php file (located in wp-content/themes/your-theme/).
- Add the following code to hide the admin bar on the frontend for all users:
// Hide the admin bar on the frontend for all users
add_filter('show_admin_bar', '__return_false');
Method 2: Create a Custom Plugin
- Create a new file in your wp-content/plugins/ directory, for example, hide-admin-bar.php.
- Add the following code to the file:
<?php
/*
Plugin Name: Hide Admin Bar
Description: Hides the WordPress Admin Bar on the frontend for all users.
Version: 1.0
Author: Your Name
*/
// Hide the admin bar on the frontend for all users
add_filter('show_admin_bar', '__return_false');
Additional Option: Use CSS (Optional)
You can also hide the admin bar using CSS, but this method is not as robust as the PHP method since the admin bar will still load but be hidden from view.
- Open your theme’s style.css file (located in wp-content/themes/your-theme/).
- Add the following CSS to hide the admin bar:
/* Hide the admin bar */
#wpadminbar {
display: none;
}
By following either of the PHP methods, you will effectively hide the WordPress Admin Bar for all users on the frontend of your site.
To stop receiving emails about automatic updates on your WordPress site, you can add a code snippet to your theme’s functions.php file or create a custom plugin. Here are the steps for both methods:
Method 1: Add Code to functions.php
- Open your theme’s functions.php file (located in wp-content/themes/your-theme/).
- Add the following code to disable update notification emails:
// Disable automatic update notification emails
add_filter( 'auto_core_update_send_email', '__return_false' );
add_filter( 'automatic_updates_send_debug_email', '__return_false', 1 );
Method 2: Create a Custom Plugin
- Create a new file in your wp-content/plugins/ directory, for example, disable-update-emails.php.
- Add the following code to the file:
<?php
/*
Plugin Name: Disable Update Emails
Description: Disables automatic update notification emails on WordPress.
Version: 1.0
Author: Your Name
*/
// Disable automatic update notification emails
add_filter( 'auto_core_update_send_email', '__return_false' );
add_filter( 'automatic_updates_send_debug_email', '__return_false', 1 );
3. Activate the plugin from the WordPress admin dashboard.
Additional Option: Use a Plugin from the Repository
There are also plugins available in the WordPress repository that can handle this for you. One such plugin is “Manage Notification E-mails”:
- Go to your WordPress admin dashboard.
- Navigate to Plugins > Add New.
- Search for “Manage Notification E-mails”.
- Install and activate the plugin.
- Configure the plugin settings to disable update notification emails.
By following any of these methods, you will stop receiving emails about automatic updates on your WordPress site.
To disable XML-RPC completely on sites running WordPress 3.5+, you can either add a code snippet to your theme’s functions.php file or create a small plugin to achieve this. Here are the steps for both methods:
Method 1: Add Code to functions.php
- Open your theme’s functions.php file (located in wp-content/themes/your-theme/).
- Add the following code to disable XML-RPC:
// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
// Remove the RSD link from the header
remove_action('wp_head', 'rsd_link');
// Block XML-RPC requests
add_filter('xmlrpc_methods', function() {
return [];
});
Method 2: Create a Custom Plugin
- Create a new file in your wp-content/plugins/ directory, for example, disable-xmlrpc.php.
- Add the following code to the file:
<?php
/*
Plugin Name: Disable XML-RPC
Description: Completely disables XML-RPC on WordPress 3.5+.
Version: 1.0
Author: Your Name
*/
// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
// Remove the RSD link from the header
remove_action('wp_head', 'rsd_link');
// Block XML-RPC requests
add_filter('xmlrpc_methods', function() {
return [];
});
3. Activate the plugin from the WordPress admin dashboard.
Additional Step: Block XML-RPC Requests via .htaccess (Optional)
To add an extra layer of protection by blocking XML-RPC requests at the server level, you can modify your .htaccess file:
- Open your .htaccess file (located in the root directory of your WordPress installation).
- Add the following code to block all XML-RPC requests:
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
By following these steps, you will completely disable XML-RPC on your WordPress site running version 3.5 or later, enhancing your site’s security by preventing potential XML-RPC-based attacks.
To switch back to the Classic Editor by disabling the Block Editor (Gutenberg), you can use one of the following methods:
Method 1: Use the Classic Editor Plugin
The easiest way to switch back to the Classic Editor is to use the Classic Editor plugin.
- Go to your WordPress admin dashboard.
- Navigate to Plugins > Add New.
- Search for “Classic Editor”.
- Click Install Now and then Activate.
The Classic Editor plugin will automatically disable the Block Editor and revert your site to the classic editing experience.
Method 2: Add Code to functions.php
If you prefer not to use a plugin, you can add code to your theme’s functions.php file to disable the Block Editor.
- Open your theme’s functions.php file (located in wp-content/themes/your-theme/).
- Add the following code to disable the Block Editor:
// Disable Gutenberg editor for posts
add_filter('use_block_editor_for_post', '__return_false', 10);
// Disable Gutenberg editor for post types
add_filter('use_block_editor_for_post_type', '__return_false', 10);
Method 3: Create a Custom Plugin
If you prefer to create a custom plugin to disable the Block Editor, follow these steps:
- Create a new file in your wp-content/plugins/ directory, for example, disable-gutenberg.php.
- Add the following code to the file:
<?php
/*
Plugin Name: Disable Gutenberg
Description: Disables the Gutenberg Block Editor and reverts to the Classic Editor.
Version: 1.0
Author: Your Name
*/
// Disable Gutenberg editor for posts
add_filter('use_block_editor_for_post', '__return_false', 10);
// Disable Gutenberg editor for post types
add_filter('use_block_editor_for_post_type', '__return_false', 10);
3. Activate the plugin from the WordPress admin dashboard.
Optional: Hide the Gutenberg Nag
To hide the nag message that suggests switching to the Block Editor, you can add the following code to your functions.php file or custom plugin:
add_action('admin_init', function() {
remove_action('try_gutenberg_panel', 'wp_try_gutenberg_panel');
});
By following any of these methods, you can disable the Block Editor (Gutenberg) and switch back to the Classic Editor in WordPress.
To hide all updates for WordPress Core, Plugins, and Themes, you can add specific code snippets to your functions.php file or create a simple plugin.
<?php
add_filter( 'site_transient_update_plugins', '__return_empty_array' ); add_filter( 'transient_update_plugins', '__return_empty_array' ); add_filter( 'site_transient_update_themes', '__return_empty_array' ); add_filter( 'transient_update_themes', '__return_empty_array' ); // Disable core wp updates. add_filter( 'pre_site_transient_update_core', function ( $object = null ) { global $wp_version; // Return an empty object to prevent extra checks. return (object) array( 'last_checked' => time(),
'updates' => array(),
'version_checked' => $wp_version,
);
} );
add_action( 'init', function () {
remove_action( 'init', 'wp_version_check' );
add_filter( 'pre_option_update_core', '__return_null' );
remove_all_filters( 'plugins_api' );
} );
// Disable even other external updates related to core.
add_filter( 'auto_update_translation', '__return_false' );
add_filter( 'automatic_updater_disabled', '__return_true' );
add_filter( 'allow_minor_auto_core_updates', '__return_false' );
add_filter( 'allow_major_auto_core_updates', '__return_false' );
add_filter( 'allow_dev_auto_core_updates', '__return_false' );
add_filter( 'auto_update_core', '__return_false' );
add_filter( 'wp_auto_update_core', '__return_false' );
add_filter( 'auto_update_plugin', '__return_false' );
add_filter( 'auto_update_theme', '__return_false' );
add_filter( 'auto_core_update_send_email', '__return_false' );
add_filter( 'automatic_updates_send_debug_email ', '__return_false' );
add_filter( 'send_core_update_notification_email', '__return_false' );
add_filter( 'automatic_updates_is_vcs_checkout', '__return_true' );
add_filter( 'pre_site_transient_update_plugins', function () {
global $wp_version;
// Get all registered plugins.
$plugins = get_transient( 'wpcode_prevent_updates_plugins' );
if ( false === $plugins ) {
if ( ! function_exists( 'get_plugins' ) ) {
require_once ABSPATH . 'wp-admin/includes/plugin.php';
}
$plugins = array();
foreach ( get_plugins() as $file => $plugin ) {
$plugins[ $file ] = $plugin['Version'];
}
set_transient( 'wpcode_prevent_updates', $plugins, DAY_IN_SECONDS );
}
// Return an empty object to prevent extra checks.
return (object) array(
'last_checked' => time(),
'updates' => array(),
'version_checked' => $wp_version,
'checked' => $plugins,
);
} );
add_filter( 'pre_site_transient_update_themes', function () {
global $wp_version;
// Get all registered themes.
$themes = get_transient( 'wpcode_prevent_updates_themes' );
if ( false === $themes ) {
$themes = array();
foreach ( wp_get_themes() as $theme ) {
$themes[ $theme->get_stylesheet() ] = $theme->get( 'Version' );
}
set_transient( 'wpcode_prevent_updates_themes', $themes, DAY_IN_SECONDS );
}
// Return an empty object to prevent extra checks.
return (object) array(
'last_checked' => time(),
'updates' => array(),
'version_checked' => $wp_version,
'checked' => $themes,
);
} );
add_action( 'admin_init', function () {
// Remove updates page.
remove_submenu_page( 'index.php', 'update-core.php' );
// Disable plugin API checks.
remove_all_filters( 'plugins_api' );
// Disable theme checks.
remove_action( 'load-update-core.php', 'wp_update_themes' );
remove_action( 'load-themes.php', 'wp_update_themes' );
remove_action( 'load-update.php', 'wp_update_themes' );
remove_action( 'wp_update_themes', 'wp_update_themes' );
remove_action( 'admin_init', '_maybe_update_themes' );
wp_clear_scheduled_hook( 'wp_update_themes' );
// Disable plugin checks.
remove_action( 'load-update-core.php', 'wp_update_plugins' );
remove_action( 'load-plugins.php', 'wp_update_plugins' );
remove_action( 'load-update.php', 'wp_update_plugins' );
remove_action( 'admin_init', '_maybe_update_plugins' );
remove_action( 'wp_update_plugins', 'wp_update_plugins' );
wp_clear_scheduled_hook( 'wp_update_plugins' );
// Disable any other update/cron checks.
remove_action( 'wp_version_check', 'wp_version_check' );
remove_action( 'admin_init', '_maybe_update_core' );
remove_action( 'wp_maybe_auto_update', 'wp_maybe_auto_update' );
remove_action( 'admin_init', 'wp_maybe_auto_update' );
remove_action( 'admin_init', 'wp_auto_update_core' );
wp_clear_scheduled_hook( 'wp_version_check' );
wp_clear_scheduled_hook( 'wp_maybe_auto_update' );
// Hide nag messages.
remove_action( 'admin_notices', 'update_nag', 3 );
remove_action( 'network_admin_notices', 'update_nag', 3 );
remove_action( 'admin_notices', 'maintenance_nag' );
remove_action( 'network_admin_notices', 'maintenance_nag' );
} );
To add support for SVG files to be uploaded in WordPress media, you can use the following steps. This involves adding some custom code to your theme’s functions.php file or creating a simple plugin to enable SVG support.
/**
* Allow SVG uploads for administrator users.
*
* @param array $upload_mimes Allowed mime types.
*
* @return mixed
*/
add_filter(
'upload_mimes',
function ( $upload_mimes ) {
// By default, only administrator users are allowed to add SVGs.
// To enable more user types edit or comment the lines below but beware of
// the security risks if you allow any user to upload SVG files.
if ( ! current_user_can( 'administrator' ) ) {
return $upload_mimes;
}
$upload_mimes['svg'] = 'image/svg+xml';
$upload_mimes['svgz'] = 'image/svg+xml';
return $upload_mimes;
}
);
/**
* Add SVG files mime check.
*
* @param array $wp_check_filetype_and_ext Values for the extension, mime type, and corrected filename.
* @param string $file Full path to the file.
* @param string $filename The name of the file (may differ from $file due to $file being in a tmp directory).
* @param string[] $mimes Array of mime types keyed by their file extension regex.
* @param string|false $real_mime The actual mime type or false if the type cannot be determined.
*/
add_filter(
'wp_check_filetype_and_ext',
function ( $wp_check_filetype_and_ext, $file, $filename, $mimes, $real_mime ) {
if ( ! $wp_check_filetype_and_ext['type'] ) {
$check_filetype = wp_check_filetype( $filename, $mimes );
$ext = $check_filetype['ext'];
$type = $check_filetype['type'];
$proper_filename = $filename;
if ( $type && 0 === strpos( $type, 'image/' ) && 'svg' !== $ext ) {
$ext = false;
$type = false;
}
$wp_check_filetype_and_ext = compact( 'ext', 'type', 'proper_filename' );
}
return $wp_check_filetype_and_ext;
},
10,
5
);
By default, a WordPress custom post type does not use the Gutenberg editor. Why? In this quick tip, I’ll walk you through the why and show you how to enable the Gutenberg editor for your custom post types. Don’t worry. It’s literally one configuration parameter.
Gutenberg uses the REST API. But by default, the REST API parameter turned off when you register a custom post type. Therefore, you need to intentionally turn it on in your code. Let me show you how.
The Code
Here is a link to the Books plugin gist if you want to work along with me.
In the configuration arguments where you register the custom post type, add the following configuration parameter:
'show_in_rest' => true, // To use Gutenberg editor.For example, let’s say you are registering a Book post type. The registration arguments might be:
function sitegrows_register_book_post_type() {
$labels = [
// left out for brevity.
];
$args = [
'labels' => $labels,
'public' => true,
'publicly_queryable' => true,
'show_ui' => true,
'show_in_menu' => true,
'show_in_rest' => true, // To use Gutenberg editor.
'query_var' => true,
'rewrite' => [ 'slug' => 'book' ],
'has_archive' => true,
'hierarchical' => false,
'menu_position' => null,
];
register_post_type( 'book', $args );
}Here is a quick tip to remove the piece of code added by WordPress 4.4 in the header of your pages about wp-embed.
wp-embed.js is a script added by wordpress
“It’s super easy to embed videos, images, tweets, audio, and other content into your WordPress site. This feature was added in WordPress 2.9″
That’s the code WordPress adds in your page:
function sitegrows_deregister_scripts(){
wp_deregister_script( 'wp-embed' );
}
add_action( 'wp_footer', 'sitegrows_deregister_scripts' );