---
title: "How to Disable REST API for WordPress Website?"
url: https://nexterwp.com/docs/disable-rest-api-for-wordpress/
date: 2023-04-18
modified: 2026-04-15
author: "Aditya Sharma"
description: "WordPress REST API is a powerful tool for developers, it can also pose a significant security risk if not properly secured. The REST API allows developers to interact with sites..."
image: https://nexterwp.com/wp-content/uploads/2024/05/disable-rest-api-for-wordpress-1024x519.jpg
word_count: 442
---

# How to Disable REST API for WordPress Website?

## Key Takeaways

- Nexter Extension (Free) allows users to disable REST API for logged out and non-admin users.
- Nexter theme and Nexter Extension (Free) enable setting permissions like 'Disable for Non-Admins' or 'Disable When Logged Out'.
- Disabling REST API for logged out users prevents unauthorized access to JSON files, enhancing website security.

WordPress REST API is a powerful tool for developers, it can also pose a significant security risk if not properly secured. The REST API allows developers to interact with sites remotely by sending and receiving JSON objects through API endpoints. While this feature can be useful for creating custom applications and integrations, it also poses a potential security risk to your website.

But you can’t disable REST API completely on your site because there many plugins and services uses REST API. With the [Nexter Extension (Free) plugin](https://wordpress.org/plugins/nexter-extension/) you can easily disable REST API for logged out and non admin users.

[LIVE EXTENSION LINK](https://nexterwp.com/nexter-extensions/advanced-wordpress-security/)

 

## Why Disable REST API?

WordPress REST API uses API endpoints to allow developers send and receive JSON objects remotely. While doing this it leaves usernames open for all the users who have published on the website via the following URL:

`https://ananda.instawp.xyz/wp-json/wp/v2/users`

![wp json user](https://nexterwp.com/wp-content/uploads/2023/04/wp-json-user.png)

Exposing usernames can be a security concern as hackers can use it for brute-force attacks. 

## Why You Shouldn't Disable REST API Completely?

You shouldn’t disable the REST API completely because there are many plugins and services that use the REST API to function properly.

Some of the most popular plugins such as Jetpack, Wordfence, different contact form plugins and even the WordPress block editor use the REST API.

So if you disable it completely, these plugins and services will not work properly.

That is why when you use the Nexter theme and Nexter Extension (Free) plugin you can set different permissions such as “Disable for Non-Admins” or “Disable When Logged Out”.

## How to Disable REST API with The Nexter Extension?

To do this, go to **Nexter **>** Extensions** > **Security**.

Then go to the **Advanced Security **section, enable the toggle, and click on the gear icon (⚙).

![](https://nexterwp.com/wp-content/uploads/2025/08/advanced-security-settings-new-1.png)

This will open the Advanced Security popup, and go to **Disable REST API**.

Here you’ll find three options - 

- **Enabled** - This will keep the REST API enabled for everyone.

- **Disable for Non-Admins** - This will disable the REST API for all users (including logged out users) except Administrator users. This can be a good option if you allow user registration on your site so they can’t access the JSON files.

- **Disable When Logged Out** - This will disable the REST API for logged out users i.e. website visitors, this will be the ideal choice for most websites. 

Select between **Disable for Non-Admins** and **Disable When Logged Out** based on your requirement.

Then click on the **Save** button.

Now if someone tries to access that users URL without proper permission will get an authentication error message.

![wp json user authentication error](https://nexterwp.com/wp-content/uploads/2023/04/wp-json-user-authentication-error.png)

This way you can enjoy the power of WordPress REST API without compromising security.

## Frequently Asked Questions

**Q: Why shouldn't I disable REST API completely?**
A: Completely disabling the REST API can break functionality for many essential plugins and services that rely on it, such as Jetpack and Wordfence. These tools use the API for various features, including security and content management. Therefore, it's crucial to selectively disable it using options like 'Disable for Non-Admins' or 'Disable When Logged Out' with the Nexter Extension.

**Q: What are the security risks of leaving REST API enabled?**
A: Leaving the REST API enabled can expose usernames through public endpoints, making your site vulnerable to brute-force attacks. Hackers can exploit this information to gain unauthorized access. By selectively disabling the API for non-admin users, you can mitigate these risks while still allowing essential functionalities.

**Q: What is the best practice for disabling REST API on my WordPress site?**
A: The best practice for disabling REST API is to use the Nexter Extension's options to restrict access based on user roles. Opt for 'Disable When Logged Out' for general security without disrupting the functionality of plugins that require the API. This approach protects your site while maintaining necessary features for logged-in users.