Disable WP JSON Rest API

Disabling the WordPress JSON Rest API

WordPress JSON REST APIDid you know that ever since WordPress version 4.4 the WordPress REST API is enabled by default? This is a great tool for plugin developers who need to quickly receive WordPress data via GET requests, but for most users this feature could be considered a security vulnerability. Take a look at this screenshot of a popular news website that has this feature enabled. It reveals details about your server environment, WordPress installation and even lists some of the plugins you are running.

The good news is this feature can easily be disabled and in this post I’m going to explain how. You can get various plugins to disable this feature but in my opinion that is overkill when this can be quickly addressed at the server level. Please find below how to disable the WordPress REST API on your website whether you are using Apache or NGINX.

Blocking WordPress REST API on Apache

Add the following line of code to your HTACCESS file in the document root of your website:

Redirect 301 /wp-json /

Blocking WordPress REST API on NGINX

You can deny access by adding an additional location rule to your production server block:

location = /wp-json {
deny all;

Disabling this feature on your WordPress website can decrease your vulnerability to DDoS attacks. Similar to disabling the XML-RPC this is another technique you should consider when strengthening your WordPress websites. If your are a plugin developer looking to learn more about the WP REST API, check out the documentation.

By using the technique above you will effectively deny access to the /wp-json/ URL on your site but there will still be a link to the REST API inside the head tag of your homepage similar to the one below:

<link rel='https://api.w.org/' href='https://digitalpci.com/wp-json/' />

Lastly you will also have oEmbed discovery links added to your single posts pages and API link added to your HTTP header. To disable all three of these additional aspects of the WP REST API add the following lines of code to the functions.php file of your active theme:

// Disable REST API link tag
remove_action('wp_head', 'rest_output_link_wp_head', 10);

// Disable oEmbed Discovery Links
remove_action('wp_head', 'wp_oembed_add_discovery_links', 10);

// Disable REST API link in HTTP headers
remove_action('template_redirect', 'rest_output_link_header', 11, 0);

Important Note for Jetpack Users: The WordPress Jetpack plugin uses the WP REST API for site statistics. So if you disabled access to your WP REST API using the instructions on this page beware that this will break your Jetpack site statistics.

I hope you found this post useful and please feel free to share your own WordPress security tips and comments below. Thanks for reading!