The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON objects.
This is done by mapping different endpoints through a URI, such as:
https://editwp.com/wp-json/
While the WordPress REST API is great, one problem is that by default, it leaves the usernames of anyone who has published on your WordPress site wide open via the following URL:
https://editwp.com/wp-json/wp/v2/users
This might not be something you want everyone to know. Why? Because someone could then start guessing passwords (brute-force attack) against all the usernames on your WordPress site. Hopefully your authors, contributors, and administrators are using secure passwords, but still, having your username list wide open isn’t ideal.
Therefore, we now have an option in the Perfmatters plugin that you can disable the WordPress REST API.
What uses the REST API?
Due to the fact that there are plugins, services, and apps that utilize the REST API, you don’t want to completely disable the REST API, therefore we have built-in a permission model. Here are a few examples of solutions and plugins that use the REST API:
- Yoast SEO and Ryte dashboard widget.
- Customer Reviews for WooCommerce
- Jetpack
- Wordfence
- JetMenu
- Various contact forms.
- Various WooCommerce dashboard widgets.
- The new Gutenberg block editor uses the REST API to communicate when you make page and post edits. If you disable it completely you will get an error: “Updating failed.”
Therefore, we have different permissions you can use. For example, you can select the option to “Disable for Non-Admins” or “Disable When Logged Out.”
How to disable the WordPress REST API
Follow the steps below to disable the WordPress REST API.
Step 1
Click into the Perfmatters plugin settings.
Step 2
Make sure you’re on the “General” submenu.
Step 3
Scroll down and choose an option under “Disable REST API.”
There are three different options. By default, the REST API is enabled. You can then choose to disable it for non-admins (recommended, and what we use), or disable when logged out. If you are working with authors, you will want to leave this enabled.
Step 4
Scroll down and click “Save Changes.”
What this does is disable REST API requests and displays the following error message if the requester doesn’t have permission.
{"code":"rest_authentication_error","message":"Sorry, you do not have permission to make REST API requests.","data":{"status":401}}
You can also remove the REST API links from your WordPress site’s front-end code. Check out our article on how to remove WordPress REST API links.
How to add WordPress REST API exception
Perhaps you want to completely disable the REST API, but need to add an exception for a particular service or plugin that utilizes it. You can add a custom route exception with our perfmatters_rest_api_exceptions
filter.
Here is an example of adding an exception for JetMenu.
add_filter('perfmatters_rest_api_exceptions', function($exceptions) {
$exceptions[] = 'jet-menu-api';
return $exceptions;
});
Common REST API exceptions
fluentform
ithemes-security/rpc
ithemes-security/v1
jet-menu-api
jet-search
stripe
surecart
yoast