How to Disable JSON REST API in WordPress?

Updated on November 1, 2018

Starting from WordPress version 4.4, the JSON REST API is enabled by default. It’s one of the greatest development in WordPress that allows developers to get data using GET requests. However as an owner of the WordPress site, I don’t want to keep REST API enabled. The reason, it’s something similar to XML-RPC that allows an attacker to perform a DDoS attack. Moreover, JSON REST API is resource intensive and can affect the performance of the website. So I would prefer disabling REST API for non-logged in users. In this tutorial, I’ll be explaining how to Disable JSON REST API in WordPress

Learn more about REST API here.

How to find if JSON REST API is enabled in WordPress?

It’s simple. Logout of WordPress or jump to Incognito window and navigate to the below URL.

http://example.com/wp-json.

(or)

http://example.com/index.php?rest_route=/
Note:

Remember to replace example.com with your own domain name.

If you see the below message, then JSON REST API has been disabled.

{"code":"rest_cannot_access","message":"DRA: Only authenticated users can access the REST API.","data":{"status":401}}

How to disable JSON REST API in WordPress?

All you need is to install a WordPress plugin called Disable REST API. Just install it and there’s no settings or configuration page for the plugin. The plugin will deny any API request made by a non-logged in user. It means, it makes an attacker’s brute-force efforts ineffective.

That’s it! You have now disabled JSON REST API in WordPress. But don’t stop there – Learn how to harden your WordPress here.

Was this article helpful?

Related Articles

Leave a Comment