Use code PERFMATTERS for an extra 10% off!
  1. Home
  2. Docs
  3. General
  4. How to disable the WordPress REST API

How to disable the WordPress REST API

The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON objects.

This is done by mapping different endpoints through a URI, such as:

While the WordPress REST API is great, one problem is that by default, it leaves the usernames of anyone who has published on your WordPress site wide open via the following URL:
WP-JSON user list
WP-JSON user list

This might not be something you want everyone to know. Why? Because someone could then start guessing passwords (brute-force attack) against all the usernames on your WordPress site. Hopefully your authors, contributors, and administrators are using secure passwords, but still, having your username list wide open isn’t ideal.

Therefore, we now have an option in the Perfmatters plugin that you can disable the WordPress REST API.

What uses the REST API?

Due to the fact that there are plugins, services, and apps that utilize the REST API, you don’t want to completely disable the REST API, therefore we have built-in a permission model. Here are a few examples of solutions and plugins that use the REST API:

  • Yoast SEO and Ryte dashboard widget.
  • Customer Reviews for WooCommerce
  • Jetpack
  • Wordfence
  • JetMenu
  • Various contact forms.
  • Various WooCommerce dashboard widgets.
  • The new Gutenberg block editor uses the REST API to communicate when you make page and post edits. If you disable it completely you will get an error: “Updating failed.”

Therefore, we have different permissions you can use. For example, you can select the option to “Disable for Non-Admins” or “Disable When Logged Out.”

How to disable the WordPress REST API

Follow the steps below to disable the WordPress REST API.

Step 1

Click into the Perfmatters plugin settings.

Perfmatters plugin settings
Perfmatters plugin settings

Step 2

Make sure you’re on the “General” submenu.

Perfmatters General submenu
Perfmatters General submenu

Step 3

Scroll down and choose an option under “Disable REST API.”

There are three different options. By default, the REST API is enabled. You can then choose to disable it for non-admins (recommended, and what we use), or disable when logged out. If you are working with authors, you will want to leave this enabled.

Disable WordPress REST API with Perfmatters
Disable WordPress REST API with Perfmatters

Step 4

Scroll down and click “Save Changes.”

What this does is disable REST API requests and displays the following error message if the requester doesn’t have permission.

{"code":"rest_authentication_error","message":"Sorry, you do not have permission to make REST API requests.","data":{"status":401}}

You can also remove the REST API links from your WordPress site’s front-end code. Check out our article on how to remove WordPress REST API links.

How to add WordPress REST API exception

Perhaps you want to completely disable the REST API, but need to add an exception for a particular service or plugin that utilizes it. You can add a custom route exception with our perfmatters_rest_api_exceptions filter.

Here is an example of adding an exception for JetMenu.

add_filter('perfmatters_rest_api_exceptions', function($exceptions) {
  $exceptions[] = 'jet-menu-api';
  return $exceptions;

Common REST API exceptions

Was this article helpful?

Related Articles