Securing the WordPress API and disabling the REST API is an important aspect of ensuring site security. The REST API (Disable wp-json) in WordPress enables other applications to send HTTP requests for accessing and interacting with website data, including retrieving information about posts, pages, categories, images, and other content. However, utilizing the REST API also poses certain security risks.
Secure WordPress API: 2 Methods to Disable REST API (Disable wp-json)
Using the JSON API facilitates the integration of data from WordPress into mobile apps, other websites, or external services. If you visit /wp-json/wp/v2/posts or /wp-json/wp/v2/pages, you can retrieve information about the posts or pages on your WordPress site.
Alternatively, by accessing https://arriveddev.com/wp-json/it, you can view the REST API information that the website is allowing.
Understanding the Security Risks Associated with REST API
Leaking Important Information: If not configured properly, REST APIs can expose sensitive information, such as usernames, email addresses, or other personal data. At its most basic, We displays the plugin name, theme, and the APIs in use.
Brute Force Attack: A brute force attack can be executed by listing account information and attempting a login using the REST API, posing the risk of a security breach.
Changing Website Data: Without the necessary security measures, an attacker can modify website data through the REST API.
How to disable WordPress REST API (wp-json)
To ensure the security of your WordPress website and protect against REST API-related security risks, you can take the following measures to secure WordPress API:
Method 1: Use custom code in functions.php
You can add custom code to the functions.php theme files you are using to disable the REST API. For example, you can use the following code to disable wp-json for all requests except those from admins to help secure the WordPress API:
add_filter( 'rest_authentication_errors', function( $result ) {
if ( true === $result || is_wp_error( $result ) ) {
return $result;
}
// Return an error if user is not administrator.
if ( !current_user_can('administrator') ) {
return new WP_Error(
'rest_not_logged_in',
__( 'You are not currently logged in.' ),
array( 'status' => 401 )
);
}
return $result;
});Method 2: Use a plugin to manage and disable API (wp-json)
There are many WordPress security plugins that can help you disable REST API easily. These plugins provide options so you can disable or limit access to the REST API as desired. You can click on the link below to download and install on your wordpress site.
Link download: Disable WP REST API (Jeff Starr) | Disable REST API (Dave McHale)
The REST API (wp-json) in WordPress provides powerful functionality for integrating and interacting with site data, but also requires security concerns. By implementing security measures and disabling REST APIs when necessary, you can protect important data and avoid potential security risks. Which method did you use? Please leave a comment below!
