The WordPress REST API (Representational State Transfer API) is a mechanism which allows applications to exchange data with your WordPress website in a JSON format. This API is by default enabled in WordPress for all users, including the site visitors which are not logged in.
In this guide you can read how to easily disable the WordPress REST API for unauthenticated users. If you want to skip straight to the topic, you can click here to get the ready-to-use code snippet.
The WordPress admin interface, including many of the WordPress plugins (such as Rank Math SEO) strongly depends on the REST API, however this is not the case with the site visitors. In most cases WP REST API is not even needed for non-logged-in site visitors – especially for simple, small business websites.
WordPress REST API security issues
WordPress Rest API allows to easily fetch many kinds of data (e.g. users, pages, posts, tags, categories) with a simple GET queries like:
https://yourwebsite.com/wp-json/wp/v2/posts?per_page=100
https://yourwebsite.com/wp-json/wp/v2/pages
https://yourwebsite.com/wp-json/wp/v2/usersWhen allowing unauthenticated users to access the REST API, this makes it a good target for hackers or data miners who want to steal your content or gain access to your website.
WordPress REST API is most commonly used for these malicious purposes:
- User enumeration – to get the usernames of site administrators which can be later used to conduct a brute force password-guessing attacks on your site login forms;
- Data scraping – to easily download your site content and republish it on other websites. In this process the content can also be refactored by AI software so that articles are not identical.
- DDOS attacks – to repeatedly request a large amount of information from your website in order to slow it down or disrupt its uptime.
All of these actions can be done while being not logged in and with that REST API is an ideal platform for performing them.
Disabling WordPress REST API
To disable the WordPress REST API for non-logged-in users, add this code snippet to your WordPress theme’s functions.php file or a must-use plugin. This code can be customized to fit your needs. For instance, you can conditionally allow certain REST endpoints while blocking others, or even deny API access to specific roles for logged-in users.
//Do not allow access to WordPress REST API for non-logged-in users
add_filter( 'rest_authentication_errors', function( $result ) {
if ( true === $result || is_wp_error( $result ) ) {
return $result;
}
if (!is_user_logged_in()) {
return new WP_Error('rest_not_logged_in',
'You are not currently logged in.',
['status' => 401]);
}
return $result;
});
//Remove the WordPress REST API discovery links from the site header for non-logged-in users
add_action('init', function() {
if (!is_user_logged_in()) {
remove_action('wp_head', 'rest_output_link_wp_head', 10);
remove_action( 'wp_head', 'wp_oembed_add_discovery_links', 10 );
}
});References
REST API Handbook – An official article about REST API on WordPress developer resources platform