Disable REST API


** As of WordPress 4.7, the filter provided for disabling the REST API has been removed. However, this plugin will now
forcibly return an authentication error to any API requests from sources who are not logged into your website, which
will effectively still prevent unauthorized requests from using the REST API to get information from your website **

The REST API is a project in development via the JSON REST API
plugin by Ryan McCue, Rachel Baker, Daniel Bachhuber and Joe Hoyle. The engine for the API has existed in WordPress
since v4.4, but additional functionality and endpoints are a continual project. While this is very exciting news
for many reasons, it is also not functionality that every site admin is going to want enabled on their website if not

For WordPress versions 4.4, 4.5 and 4.6, this plugin makes use of the rest_enabled filter provided by the API to
disable the API functionality. For WordPress 4.7+, the plugin will return an authentication error (effectively
disabling all endpoints) for any user not logged into the website.

Imagens de tela

  • The JSON returned by a website that is protected by this plugin. (WordPress versions 4.4, 4.5, 4.6)


  1. Upload the disable-json-api directory to the /wp-content/plugins/ directory via FTP
  2. Alternatively, upload the disable-json-api_v#.#.zip file to the ‘Plugins->Add New’ page in your WordPress admin
  3. Ative o plugin por meio do menu “Plugins” no WordPress


Is this plugin compatible with __insert other REST API plugin here__?

This plugin ONLY uses the filters built into the official WordPress REST API meant for disabling its functionality.
So long as your other REST API does not also use those filters to allow itself to be disabled (and it shouldn’t), you
should be safe.



Does exactly what I want it to do. It disables the REST API completely for non-authenticated users.

Download, install and rest

Thanks for creating this plugin. It was a pleasure to acquire and install. Let’s hope the rest API evolves more safely in the upcoming releases.


Since the disable REST filter was so wisely disabled *sarcasm*, this plugin is a necessary tool. It’s unconscionable to provide a whole new huge attack surface with the REST API, provide a filter to disable it and then suddenly remove that filter. WTF. Millions of WP sites running 4.7 and 4.7.1 are now defaced because of hubris by the core developers. Years of work to improve WordPress’s reputation for insecurity undone by one irresponsible decision.


Install, activate and you’re done!

Works perfectly on all the calls I tested it with…

Works fine with WP 4.7.2

Works fine with 4.7.2. You can test your site before and after installation of this plugin using http://example.com/wp-json

You’ll know it works when you see the message:

{“code”:”rest_cannot_access”,”message”:”Only authenticated users can access the REST API.”,”data”:{“status”:401}}

Leia todas as 16 avaliações

Contribuidores e desenvolvedores

“Disable REST API” é um software com código aberto. As seguintes pessoas contribuíram para este plugin.


Registro de alterações


  • Tested for WP v4.7
  • Adding new functionality to raise authentication errors in 4.7+ for non-logged-in users


  • Tested for WP v4.5
  • Removal of actions which publish REST info to the head and header


  • Updated to support the new filters created in the 2.0 beta API


  • Initial Release