Use code PERFMATTERS for an additional 10% off!

How to Disable the WordPress REST API

The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON objects.

This is done by mapping different endpoints through a URI, such as:

While the WordPress REST API is great, one problem is that by default, it leaves the usernames of anyone who has published on your WordPress site wide open via the following URL:
WP-JSON user list
WP-JSON user list

This might not be something you want everyone to know. Why? Because someone could then start guessing passwords (brute-force attack) against all the usernames on your WordPress site. Hopefully your authors, contributors, and administrators are using secure passwords, but still, having your username list wide open isn’t ideal.

Therefore, we now have an option in the Perfmatters plugin that you can disable the WordPress REST API.

What Uses the REST API?

Due to the fact that there are plugins, services, and apps that utilize the REST API, we always recommend testing before simply disabling it completely on your WordPress site. Here are a few examples of things that use the REST API:

  • Yoast SEO and Ryte dashboard widget
  • Some specific WooCommerce dashboard widgets

If you need these to function, we have different permissions you can use. For example, you can select the option to “Disable for Non-Admins” instead of disabling completely. And of course, if you run into any issues, it only takes a simple click to re-enable the REST API everywhere again.

How to Disable the WordPress REST API

To disable the REST API click into the Perfmatters settings, select an option under “Disable REST API.”

There are 4 different options. By default, the REST API is enabled. You can then choose to disable it completely, disable for non-admins, or disable when logged out.

Disable WordPress REST API with Perfmatters
Disable WordPress REST API with Perfmatters

What this does is disable REST API requests and displays the following error message if the requester doesn’t have permission.

{"code":"rest_authentication_error","message":"Sorry, you do not have permission to make REST API requests.","data":{"status":401}}

You can also remove the REST API links from your WordPress site’s front-end code. Check out our article on how to remove WordPress REST API links.

Was this article helpful?

Related Articles