How to Disable the JSON REST API in WordPress (2023 Security Guide)

Hello fellow WordPress user! If you‘re reading this, you likely care about keeping your website secure. In today‘s digital landscape, WordPress powers over 43% of all websites – making it not only popular, but also a huge target for hackers and bad actors.

Navi.

One of the lesser-known WordPress features that can potentially be a security liability is the JSON REST API. First introduced way back in WordPress 4.4 (2015), the REST API aimed to make it easier for developers to interact with WordPress programmatically.

However, the vast majority of WordPress users never actually leverage the REST API. And leaving it enabled unnecessarily increases your attack surface.

In this comprehensive guide, we‘ll walk you through:

  • What the JSON REST API is and why it might pose a security risk
  • Two easy methods to completely disable the REST API on your site
  • Additional security best practices to keep your WordPress site locked down

But first, let‘s make sure we‘re on the same page about what the REST API actually does.

What is the JSON REST API in WordPress?

The WordPress REST API provides an interface for applications to interact with your WordPress site by sending and receiving data as JSON (JavaScript Object Notation) objects.

Essentially, it makes it easier for developers to build features and integrate other apps with your WordPress back-end. Some common use cases include:

  • Mobile apps that pull data from your WordPress site
  • JavaScript front-ends that use WordPress as a headless CMS
  • Custom plugins or themes that leverage the REST API for specific features

When the REST API was merged into WordPress core in version 4.4, it aimed to replace the older XML-RPC protocol and make WordPress a more attractive platform for app development.

However, the REST API also introduced some new security considerations. Let‘s look at the potential risks.

Why You Should Disable the WordPress REST API

The main reasons to disable the JSON REST API on your WordPress site are:

  1. To reduce your attack surface and harden security
  2. To improve performance by limiting unnecessary requests
  3. You‘re not using any features that actively require the REST API

Let‘s unpack each of these a bit more.

REST API Security Risks

While the WordPress REST API is not inherently insecure, it does provide another avenue for bad actors to potentially access your site data or exploit vulnerabilities. Some of the key risks include:

  • User enumeration: The REST API can be used to get a list of usernames for your WordPress site, making it easier for hackers to brute-force passwords.
  • DDoS attacks: Attackers can send thousands of requests to your REST API endpoints, overwhelming your server resources and taking your site offline.
  • Exposing sensitive data: Depending on your WordPress settings, the REST API may expose data like post IDs, plugin details, user info, and more that could be used for nefarious purposes.

A famous example of a REST API exploit occurred in 2017 when a vulnerability was discovered in the WordPress core that allowed unauthenticated requests to view, edit, delete, and create posts via the REST API.

Within hours of public disclosure, hackers were already using the exploit to deface WordPress sites at scale. The vulnerability was quickly patched in WordPress 4.7.2, but it underscored the need to harden the REST API.

Performance Considerations

Even if your WordPress site isn‘t targeted by an attack, an open REST API still provides an easy avenue for bots, scrapers, and other unauthorized requests that can eat up your server resources and slow down performance.

This is especially true for high-traffic WordPress sites, where an influx of REST API requests can quickly overwhelm servers and lead to downtime.

By disabling the REST API, you effectively close off that avenue for potential abuse and lighten the load on your server. This can lead to faster load times and a better user experience for your actual visitors.

You‘re Not Using the REST API

Perhaps the most compelling reason to disable the WordPress REST API is simply that you don‘t need it. If you‘re not actively using any features or plugins that require the REST API, there‘s no reason to keep it enabled.

In fact, according to a study by Wordfence, over 70% of WordPress sites have no detected usage of the REST API. That‘s a huge number of sites unnecessarily exposing themselves to potential risk!

So unless you have a specific need for the REST API (which we‘ll cover later in this post), we recommend disabling it as a security best practice. Thankfully, it‘s quite easy to do. Let‘s walk through the two main methods.

Method 1: Disable the REST API via Code Snippets

The simplest way to completely disable the JSON REST API is by adding a code snippet to your theme‘s functions.php file or using a code snippets plugin.

Here‘s the code you‘ll need:

add_filter( ‘rest_authentication_errors‘, ‘__return_true‘ );

This one-liner tells WordPress to require authentication for all REST API requests. If a request doesn‘t include a valid nonce or logged-in cookie, it will be rejected with an authentication error.

To implement this code snippet, you have two options:

  1. Edit your theme‘s functions.php file directly
  2. Use a plugin like Code Snippets to safely add the code

We recommend the second approach, as editing functions.php comes with risks. If you make a syntax error or accidentally delete something, you could take down your whole site.

Using a plugin like Code Snippets is much safer. Here‘s how to do it:

  1. Install and activate the free Code Snippets plugin from the WordPress.org repository.
  2. Go to Snippets > Add New in your WordPress dashboard.
  3. Give your snippet a name (e.g. "Disable REST API") and paste in the code above.
  4. Click the "Save Changes and Activate" button.

Code Snippets plugin interface

That‘s it! The REST API will now be completely disabled for unauthenticated requests. Easy, right?

Method 2: Disable REST API with a Plugin

If you‘d rather not mess with code snippets, you can also disable the REST API with a dedicated plugin. Some popular free options include:

For this tutorial, we‘ll use the Disable REST API plugin. Here‘s how to set it up:

  1. Install and activate the free Disable REST API plugin from the WordPress.org repository.
  2. Go to Settings > Disable REST API in your WordPress dashboard.
  3. Select the "Disable REST API" checkbox and click the "Save Changes" button.

Disable REST API plugin settings

And that‘s all there is to it! The plugin will now block all unauthenticated REST API requests across your entire site.

The main downside of this method is that you‘re adding yet another plugin to your WordPress site. While the Disable REST API plugin is lightweight, it‘s still one more thing that needs to be kept up-to-date and could potentially introduce conflicts.

Using a code snippet gives you more control and eliminates that dependency. But either method is a solid option for disabling the REST API.

Verifying the REST API is Actually Disabled

After you‘ve implemented one of the methods above, it‘s a good idea to test that the REST API is actually disabled as expected. Here‘s how:

  1. Open a private/incognito browser window and go to https://yourdomain.com/wp-json/ (replace "yourdomain.com" with your actual domain name).
  2. If the REST API is disabled properly, you should see an authentication error message like this:
{"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}
  1. If you still see a JSON response with your site data, that means the REST API is still publicly accessible and you‘ll need to troubleshoot your code snippet or plugin settings.

We also recommend re-testing the REST API after making any major changes to your WordPress site, such as updating core or installing new plugins. It‘s possible for updates to overwrite custom code or plugin settings.

What About When You Need the REST API?

Of course, there are some legitimate use cases for keeping the WordPress REST API enabled, such as:

  • Leveraging the WordPress mobile app or a plugin that requires the REST API
  • Building a decoupled front-end (e.g. a React app) that pulls data from WordPress
  • Offering a public API for custom integrations

In those cases, you‘ll need to keep the REST API enabled. But you can still take steps to harden its security:

  1. Use the REST API Toolbox plugin to granularly control which endpoints are enabled/disabled.
  2. Require authentication (logged-in cookies or nonces) for all requests.
  3. Implement rate limiting to prevent abuse.
  4. Properly sanitize and validate any user input accepted via the API.
  5. Keep WordPress core and all plugins/themes up-to-date to patch any known vulnerabilities.

By implementing these best practices, you can strike a balance between leveraging the power of the REST API and minimizing your exposure to potential security risks.

Additional WordPress Security Tips

Disabling the REST API is a great hardening step, but it‘s just one piece of the larger WordPress security puzzle. Here are a few other best practices we recommend:

  • Use strong, unique passwords for all user accounts
  • Enable two-factor authentication for admins and editors
  • Install a security plugin like Wordfence or Sucuri to scan for malware and block malicious traffic
  • Limit login attempts to prevent brute-force attacks
  • Keep regular backups of your WordPress site (and store them securely off-site)
  • Disable XML-RPC if you‘re not using it for remote publishing
  • Regularly update WordPress core, plugins, and themes to patch known vulnerabilities

According to a study by WPBeginner, the top 5 most popular WordPress security plugins are:

  1. Wordfence Security (4+ million active installs)
  2. Sucuri Security (900,000+ active installs)
  3. iThemes Security (900,000+ active installs)
  4. All In One WP Security & Firewall (800,000+ active installs)
  5. Jetpack (5+ million active installs)

While no single plugin can guarantee 100% security, using a reputable security solution in addition to following best practices will go a long way in protecting your WordPress site.

Frequently Asked Questions

Let‘s wrap up with answers to some common questions about disabling the WordPress REST API:

Will disabling the REST API break my WordPress site?

Not in most cases. As long as you‘re not actively using any features that rely on the REST API (like the mobile app or certain plugins), disabling it should have no adverse effects on your site‘s functionality.

Can I disable the REST API on a per-user basis?

Yes, with a bit of custom code. You can use a WordPress filter hook to conditionally disable the REST API based on user roles or capabilities. Here‘s an example:

add_filter( ‘rest_authentication_errors‘, function( $result ) {
    if ( ! current_user_can( ‘edit_others_posts‘ ) ) {
        return new WP_Error( ‘rest_cannot_access‘, __( ‘Only authenticated users can access the REST API.‘, ‘disable-json-api‘ ), array( ‘status‘ => rest_authorization_required_code() ) );
    }
    return $result;
});

This snippet will disable the REST API for all users except those with the edit_others_posts capability (administrators and editors).

Is it still safe to use the WordPress REST API?

Yes, as long as you follow security best practices like requiring authentication, validating user input, and keeping your WordPress site updated. The REST API itself is not inherently insecure, but it can be abused if proper precautions aren‘t taken.

Will disabling the REST API impact my site‘s SEO?

No, disabling the REST API should have no impact on your WordPress site‘s SEO. The REST API is used for programmatic access to your site data, not for serving content to search engine crawlers.

How can I re-enable the WordPress REST API?

To re-enable the REST API after disabling it with one of the methods in this guide, simply remove the code snippet from your functions.php file or deactivate the REST API plugin you were using. Once the change takes effect, the API will be accessible again at /wp-json/.

Conclusion and Key Takeaways

Disabling the WordPress REST API is a simple yet effective way to harden your site‘s security and performance, especially if you‘re not actively using it.

In this guide, we‘ve covered:

  • What the JSON REST API is and why it can be a security risk
  • Two methods to easily disable the REST API (code snippet vs. plugin)
  • How to verify the REST API is properly disabled
  • Cases where you may need to keep the REST API enabled (and how to secure it)
  • Additional security best practices for WordPress

We hope you found this in-depth guide helpful and that you now feel empowered to make an informed decision about the WordPress REST API on your own site.

The key takeaways to remember are:

  1. If you‘re not using the REST API, disable it to reduce your attack surface
  2. Use a code snippet or reputable plugin to ensure the API is fully disabled
  3. Always keep WordPress core and plugins updated, and follow other security best practices

Now go forth and secure that REST API! As always, if you have any questions or tips to share, let us know in the comments below.

Did you like this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

Skyrocket Your List Growth and Sales with Spin to Win Optins (The Ultimate 2023 Guide)
How to Update WordPress Safely in 2024: The Proper Order Revealed
The Ultimate Guide to Fixing the WordPress "Failed to Open Stream" Error
The 7 "Best" Domain Name Registrars Compared (2024)
WooCommerce Made Simple: A Step-by-Step Tutorial [+ Resources]
11 Ways to Create a Mobile-Friendly WordPress Site (Expert Tips for 2024)
How to Edit the Footer in WordPress (4 Easy Methods)
How to Remove Unused CSS in WordPress (The Right Way)