WordPress: Disable REST API – Restrict Access

According to the official WordPress recommendations you should not disable the WordPress REST API as this will break the “WordPress Admin” functionality.

For example, the WordPress Block Editor requires the WordPress REST API and if you disable it you won’t be able to publish or update your posts anymore.

However, you can use a filter to require that API consumers be authenticated, which effectively prevents anonymous external access.

Cool Tip: How to enable a WordPress REST API if it has been disabled by the “W3 Total Cache” plugin! Read more →

Restrict Access to WordPress REST API

To disable the WordPress REST API for the anonymous users, you can require authentication for all REST API requests by adding an is_user_logged_in check to the rest_authentication_errors filter in a child theme’s functions.php file.

To edit this file, you can log in to your WordPress “Dashboard”, in the left sidebar hover over the “Appearance” and click on the “Theme Editor”.

Then, on the right, under the “Theme Files”, select the “Theme Functions (functions.php)”.

This will bring you up to the functions.php code editor.

Alternatively you can access the functions.php file over FTP or SSH on this path:

/wp-content/themes/<child_theme>/functions.php

To restrict access to the WordPress REST API, simply copy/paste the code below to your WordPress child theme’s functions.php file:

<?php
    add_filter( 'rest_authentication_errors', function( $result ) {
        // If a previous authentication check was applied,
        // pass that result along without modification.
        if ( true === $result || is_wp_error( $result ) ) {
            return $result;
        }
     
        // No authentication has been performed yet.
        // Return an error if user is not logged in.
        if ( ! is_user_logged_in() ) {
            return new WP_Error(
                'rest_not_logged_in',
                __( 'You are not currently logged in.' ),
                array( 'status' => 401 )
            );
        }
     
        // Our custom authentication check should have no effect
        // on logged-in requests
        return $result;
    });
?>

After saving this code to the functions.php file, the anonymous users should see the following error if they try to consume the REST API of your WordPress website:

{
   "code":"rest_not_logged_in",
   "message":"You are not currently logged in.",
   "data":{"status":401}
}

To check this by yourself you can open the following URL in the incognito/private window of your web-browser: https://<your-website>/wp-json/.

Cool Tip: How to enable a DEBUG mode in a WordPress! Read more →

Leave a Reply