Disable REST API in WordPress

With the introduction of REST API in WordPress v4.4, this blogging platform has become one step close towards becoming a full-fledged web application.

I prefer to disable this feature until I come up with some cool idea to use them. Now, before you attempt to disable your REST API, you should know which version of API your WP is using. You can easily figure that out by simply visiting the default JSON URL of your site which should look something like this:

https://yourdomain.coom/wp-json/

Now, if you are using REST API v1.0 you can use the following snippet.

<?php
// Disable REST API v1.x
add_filter('json_enabled','__return_false');
add_filter('json_jsonp_enabled','__return_false');
?>

For v2.0 though, you need slightly different snippet. Here you go.

<?php
// Disable REST API v2.x
add_filter('rest_enabled','__return_false');
add_filter('rest_jsonp_enabled','__return_false');
?>

Now, simply copy the appropriate portion of the snippet and paste it on your theme’s functions.php page and update it. It should disable your REST API.

Get Creative

Now, if you want to get bit more creative with your code, you can use the following snippet on your theme’s functions.php page.

<?php
function ib_disable_json_api () {
   // Disable REST API v1
   add_filter('json_enabled','__return_false');
   add_filter('json_jsonp_enabled','__return_false');
   // Disable REST API v2
   add_filter('rest_enabled','__return_false');
   add_filter('rest_jsonp_enabled','__return_false');
}
add_action('inite','ib_disable_json_api');
?>

Using the snippet mentioned above, will disable the REST API as soon as the WordPress get initialized. I hope you get the idea.

If everything goes as expected your site’s REST API should be disabled. To check, simply visit the default REST-API URL (https://yourdomain.coom/wp-json/) mentioned at the very beginning of this post. You should see message similar to something like this.

{"code":"rest_disabled","message":"The REST API is disabled on this site."}

It’s done and you are good to roll.

Update

With the launch of WordPress 4.7, REST-API has been fully integrated with the WordPress core. So practically it’s impossible to disable REST-API entirely. However, you can limit the access throwing an error message. If you are using older version (before 4.7) of WordPress, previous snippet should get your job done. However, for the latest version though, you can use the following snippet to limit unauthorized access to the REST-API. Simply copy and paste this snippet on your current theme’s functions.php page and update it.

<?php
add_filter('rest_authentication_errors','disable_rest_api');
function disable_rest_api(){
   if(!is_user_logged_in()){
      return new WP_Error('Error!', __('Unauthorized access is denied!','rest-api-error'), array('status' => rest_authorization_required_code()));
   }
}
?>

Try to access (logout from WordPress) the REST-API from “https://yourdomain.com/wp-json” and you should receive the error message as stated on the snippet. Hope that helps. Thank you.

Reference: WordPress Core Blog, wp-api.

Today In History

  •  
  •  

Comment

4 Comments

    Paul OconnellPublished: 3 years ago

    It seems in workpress 4.7.+ that this solution no longer works. I see this warning message in my log

    [Wed Jan 25 12:32:44.460087 2017] [:error] [pid 11881] [client 127.0.0.1:59950]
    PHP Notice: rest_enabled is deprecated since version 4.7.0! Use rest_authentication_errors instead.
    The REST API can no longer be completely disabled, the rest_authentication_errors can be used to restrict access to the API,
    instead. in /home/pauloconnell/projects/wordpress/bhaaie/wp-includes/functions.php on line 4034

      Iftekhar BhuiyanPublished: 3 years ago

      Thank you very much for pointing this out. I am well aware of this issue but it seems like there’s no way to disable the REST-API with the latest version of WP. However, there’s a work around to partially resolve this matter. I updated the post as I felt necessary. Thank you.

    Damian StefanskiPublished: 3 years ago

    Can i disable from REST API only one post category?

      Iftekhar BhuiyanPublished: 3 years ago

      Hello Damian. As I mentioned on my post, you can’t disable the REST API any longer. However, you can return an error if certain condition is met. Frankly speaking, I never even thought about the whole idea that you are asking for. But I can assure your, I will take deeper look at it and if something comes up, I will update the post. Thank you for stopping by.

Leave a Reply to Iftekhar Bhuiyan

Note: Convet HTML, PHP, JavaScripts from Postable, before posting from comment section.
License: By submitting a comment here you grant this site a perpetual license to reproduce your words and name/Web site in attribution. Please use your real name or a pseudonym (i.e., pen name, alias, nom de plume) when commenting. If you add your site name, company name, or something completely random, I'll likely change it to whatever I want.