Why You Need to Disable JSON REST API in WordPress?
There is no denying that the API will bring lots of benefits for WordPress developers. The API makes it super easy to retrieve data using GET requests, which is useful for those building apps with WordPress.
However, most site owners may not be needing those features at all.
Having that said, this could potentially open your website to a new front of DDoS attacks. It can be resource intensive and slow down your website.
It is similar to disabling XML-RPC, which many site admins disable on their WordPress sites just to be on the safe side.
Disabling JSON REST API in WordPress
First thing you need to do is install and activate the Disable REST API plugin. For more details, see our step by step guide on how to install a WordPress plugin.
The plugin works out of the box and there are no settings for you to configure.
It will now forcibly return an authentication error to any API requests from sources who are not logged into your website.
This will effectively prevent unauthorized requests from using the REST API to get information from your website.
You can test this by visiting http://example.com/wp-json page. Make sure you logout of WordPress admin area first or switch your browser to incognito mode.
Don’t forget to replace example.com with your own domain name. You will see this message, indicating that REST API requests are blocked.
That’s all, you have successfully disabled unauthorized REST API requests on your WordPress site.