If your WordPress site does not use the WordPress REST API (there are very few plugins, themes, or other tools that currently use it), we recommend disabling it for now, and as such we’ve made an easy way to do so in our iThemes Security plugin.
In this post, we cover how to disable the WordPress REST API using the iThemes Security plugin.
The WordPress REST API is a feature rolled out in WordPress 4.4 and greatly expanded in WordPress 4.7. Currently, as of WordPress 4.7, the WordPress REST API provides a method for developers to pull information from your WordPress site without your knowledge, without an easy way to disable it. Most of this information can be accessed without requiring any authorization.
As a precaution, we recommend disabling the WordPress REST API for now. The REST API offers a lot of possibility for extending WordPress but, because it’s a new feature, there aren’t currently many uses for it.
There is not currently a way to disable the WordPress REST API in WordPress core without a plugin or additional code, so we built a free feature in the iThemes Security plugin to easily disable/turn off the REST API (or limit it Admin-level users) on your WordPress site.
If you have questions, you can always hit the iThemes Help Desk.
How to Disable the WordPress REST API
You can easily disable the WordPress REST API using the iThemes Security plugin in just a few clicks.
- 1. Download and install the iThemes Security plugin. You can grab the free version of iThemes Security here. Make sure you’re running iThemes Security 5.9 or iThemes Security Pro 3.3+.
- 2. From the WordPress dashboard, visit the iThemes Security Settings page.
- 3. Scroll to the WordPress Tweaks section. Click “Configure Settings.”
- 4. In WordPress Tweaks, scroll to the REST API section. Here you’ll find the option to Disable REST API in the drop-down menu.
The follow settings control how the REST API feature operates. Here’s a brief explanation of the REST API Settings available:
Disable REST API – The REST API is disabled on the site. If your site does not use the REST API (there are very few plugins, themes, or other tools that currently use the REST API), we recommend disabling it for now.
Require Admin Privileges – The REST API can only be used by logged in users with admin-level privileges. This allows privileged users to test and develop with the REST API without allowing anonymous access to the data.
Enable REST API – The REST API is fully enabled and will function as normal. Use this setting only if the site makes use of the REST API.
- 5. Click the “Save Settings” button.
Success! Now you’ve disabled the REST API on your WordPress site.
The iThemes Security plugin also provides a way to disable XML-RPC and activate XML-RPC Brute Force Protection. WordPress’ XML-RPC feature allows external services to access and modify content on the site. (Common example of services that make use of XML-RPC are the Jetpack plugin, the WordPress mobile app, and pingbacks.)
If your WordPress site does not use a service that requires XML-RPC, select the “Disable XML-RPC” setting as disabling XML-RPC prevents attackers from using the feature to attack the site. You’ll find this feature located right about the Disable REST API feature in the WordPress Tweaks section of the iThemes Security plugin.
Secure Your WordPress Site with iThemes Security Now
Using a WordPress security plugin such as iThemes Security Pro is a great way to add an extra layer of protection to your WordPress site. Get WordPress two-factor authentication, WordPress malware scan and more with iThemes Security Pro.
Powered by WPeMatico