How to Disable REST API for WordPress Website?

Table of Contents

WordPress REST API is a powerful tool for developers, it can also pose a significant security risk if not properly secured. The REST API allows developers to interact with sites remotely by sending and receiving JSON objects through API endpoints. While this feature can be useful for creating custom applications and integrations, it also poses a potential security risk to your website.

But you can’t disable REST API completely on your site because there many plugins and services uses REST API. With the Nexter Extension (Free) plugin you can easily disable REST API for logged out and non admin users.

Why Disable REST API?

WordPress REST API uses API endpoints to allow developers send and receive JSON objects remotely. While doing this it leaves usernames open for all the users who have published on the website via the following URL:
wp json user

Exposing usernames can be a security concern as hackers can use it for brute-force attacks. 

Why You Shoudn’t Disable REST API Completely?

You shoudn’t disable the REST API completely because there are many plugins and services that uses the REST API to function properly.

Some of the most popular plugins such as Jetpack, Wordfence, different contact form plugins and even the WordPress block editor uses the REST API.

So if you disable it completely these plugins and services will not work properly.

That is why when you use the Nexter theme and Nexter Extension (Free) plugin you can set different permission such as “Disable for Non-Admins” or “Disable When Logged Out”.

How to Disable REST API with The Nexter Extension?

To do this, go to Appearance > Nexter Settings > Security.

Then in Advance Security click on the Settings button.

advanced security settings

This will open the Advance Security popup, go to Disable REST API.

Here you’ll find three options – 

Enabled – This will keep the REST API enabled for everyone.

Disable for Non-Admins – This will disable the REST API for all users (including loggedout users) except Administrator users. This can be a good option if you allow user registration on your site so they can’t access the JSON files.

Disable When Logged Out – This will disable the REST API for logged out users i.e. website visitors, this will be the ideal choice for most websites. 

Select between Disable for Non-Admins and Disable When Logged Out based on your requirement.

Then click on the Save button.

disablel rest api

Now if someone tries to access that users URL without proper permission will get an authentication error message.

wp json user authentication error

This way you can enjoy the power of WordPress REST API without compromising the security.