Title here
Summary here
Disable REST API
The WordPress REST API is powerful — it lets external apps read and write content on your site. But by default, a lot of data is publicly accessible to anyone who knows the endpoints. Your posts, users, and more can be scraped without authentication. This module locks that down, requiring login for any API access.
Use Cases
- Prevent bots from scraping all your post content via API
- Block username enumeration through the
/wp-json/wp/v2/usersendpoint - Reduce attack surface by removing an authentication endpoint
- Protect membership site content from unauthorized API access
- Keep internal data internal on private or corporate sites
How It Works
This is a toggle module — enable it and the REST API is restricted. No configuration needed.
When enabled:
- Logged-in users: Full API access (works normally)
- Non-logged-in visitors: API returns “401 Unauthorized” error
- Frontend: REST API discovery links are removed from HTML
What Gets Blocked
Before enabling:
curl yoursite.com/wp-json/wp/v2/usersReturns list of all users with usernames and profile info.
After enabling:
curl yoursite.com/wp-json/wp/v2/usersReturns:
{
"code": "rest_disabled",
"message": "REST API is disabled for non-authenticated users.",
"data": { "status": 401 }
}The module also removes:
- REST API
<link>tags from your HTML head - REST API links from HTTP headers
- REST API references in XML-RPC RSD
Who Can Still Access the API
| User Type | API Access |
|---|---|
| Non-logged-in visitors | Blocked |
| Subscribers (logged in) | Allowed |
| Contributors (logged in) | Allowed |
| Editors (logged in) | Allowed |
| Administrators (logged in) | Allowed |
Any logged-in WordPress user can access the API. The API respects normal WordPress capabilities — a Subscriber can’t edit posts via API any more than they could in the admin.
Verification
After enabling, test the restriction:
In an incognito/private browser window (not logged in):
- Visit
yoursite.com/wp-json/wp/v2/posts - Should see the “REST API is disabled” error message
- View page source on your homepage — no
wp-jsonlink should appear
While logged in:
- Visit
yoursite.com/wp-json/wp/v2/posts - Should see normal JSON response with your posts
FAQ
Will this break Gutenberg (the block editor)?
No. Gutenberg uses the REST API, but it runs while you’re logged into the admin. Logged-in users have full API access, so editing works normally.Will this break my contact form plugin?
Most contact form plugins (Contact Form 7, WPForms, etc.) use admin-ajax or their own endpoints, not the REST API. They should work fine. Some newer plugins do use REST API for form submissions — if your form stops working, check if it requires public API access.What about headless WordPress sites?
Headless setups (where a JavaScript frontend fetches content via API) require public REST API access. This module would break that architecture. For headless sites, consider restricting specific endpoints rather than blocking all unauthenticated access.Does this affect the WordPress mobile app?
The WordPress app requires you to log in, so it uses authenticated API requests. As long as you’re logged into the app, it will work normally.I need public API access for a specific integration. What should I do?
Keep this module disabled if you have integrations that require public API access. Alternatively, custom code could whitelist specific endpoints while blocking others — but that’s beyond what this simple module provides.Does this prevent username enumeration?
Yes. The/wp-json/wp/v2/users endpoint is a common way attackers discover usernames. With the API restricted, that endpoint returns an error for unauthenticated requests.What’s the difference between this and Disable XML-RPC?
XML-RPC is an older protocol that’s completely disabled by that module. REST API is the modern API that’s restricted to logged-in users by this module. They’re separate systems — you can use both modules together for maximum protection.Common Integrations
| Integration | Works with API Restricted? |
|---|---|
| Gutenberg editor | Yes (logged in) |
| WordPress mobile app | Yes (requires login) |
| WooCommerce | Yes (admin functions logged in) |
| Contact Form 7 | Yes (uses admin-ajax) |
| Headless frontend | No (requires public access) |
| External content scrapers | No (blocked, as intended) |
| Zapier/IFTTT | Depends on setup |
Not sure if you need the API? Enable this module and test your site functionality. If something breaks, disable it and investigate what integration needs API access. Most standard WordPress sites work fine with the API restricted.
This module restricts the REST API, it doesn’t completely disable it. Authenticated users retain full access. For complete API removal (rare use case), additional code would be needed.
PRO
Upgrade to Pro
Get access to all 147 modules with a single license