Danger Sign, by Ben Hershey

Protect your WordPress by hiding the REST API

Antonio Villegas Avatar
Antonio Villegas

The WordPress REST API was introduced in the WordPress core at the end of 2016 with the release of WordPress 4.6. Like all the big changes that appear in the platform, the REST API generated controversy in some and indifference in others.

It’s even possible that you have no idea what it is, but if you have an updated version of WordPress (and you should) you are exposing many aspects of your website publicly through the REST API. Just append the fragment /wp-json/ to your domain name and visit this URL to see it with your own eyes.

Moreover, do the exercise of visiting the following web URLs and you may be surprised with what you’ll find:

  • mydomain.com/wp-json/wp/v2/users
  • mydomain.com/wp-json/wp/v2/posts

As a result of the first URL you will have a JSON with the data of the users of your web. Notice that user identifiers are included there, and this is something that people traditionally hide due to security issues and to prevent possible attacks.

The second URL shows us a list with the last posts. However, if you have protected content that only certain premium users of your website (in a membership site, for example) should have access to, it’s possible that you’ve been exposing this premium content through the REST API.

Let’s see how we can avoid compromised situations by being more aware of what we publicly expose through the WordPress REST API.

Show WordPress REST API Only to Registered Users

A solution that we can implement to hide the WordPress REST API is to prevent those users who are not registered on our website from accessing it.

To hide the REST API to unregistered users, we must add the following code in our WordPress. Remember that you can put it in the functions.php file of your theme or just develop a plugin for it (a much better option).

Once you have put this code in your WordPress, accessing a route of the REST API on your website while not logged in will result in an error message. Your content is now protected.

Show WordPress REST API Only to Administrators

Now imagine that what you want is that only users with the Administrator role in your WordPress can access the REST API. In this case, the code you have to use is the following:

Basically, we simply added a new check: current_user_can. If you want to check with a different role than the administrator, you just need to make the corresponding change in this function.

If you can think of a better way to avoid accessing the WordPress REST API, or in your case you do it differently, do not hesitate to leave a comment below ☺️

Nelio Forms

A fantastic contact plugin using the block editor. In its simplicity lies the true power of this plugin. I love it, very versatile and it worked perfectly for me.

Wajari Velasquez

WordPress.org

Free Download
Premium Version

Plugins to Disable The REST API in WordPress

In case you want to make more complex changes, you have the possibility to use plugins to disable the REST API in WordPress.

There are several plugins that allow you to disable the REST API in WordPress, but the one I recommend is Disable REST API by Dave McHale.

The Disable REST API plugin for WordPress allows you to have more control over which routes are active and which are not.
The Disable REST API plugin for WordPress allows you to have more control over
which routes are active and which are not.

By default, this plugin already prevents unregistered users from accessing the REST API of your WordPress. And in addition to it, the Disable REST API plugin allows you to select which API routes are active and which ones you want to disable on your website.

This way, controlling which data and information is public on your website through the WordPress REST API is tremendously simple.

Featured image by Ben Hershey on Unsplash.

11 responses to “Protect your WordPress by hiding the REST API”

  1. Sam Jaff Avatar
    Sam Jaff

    Hi,

    Thanks for sharing this information. I really appreciated. 🙂

    Reply
  2. Guto Avatar
    Guto

    Fantastic, my friend! Thank you for sharing this. I found bots snooping around using this method. Your code worked charmly and now only adm can download both files.

    Reply
    1. Antonio Villegas Avatar
      Antonio Villegas

      Glad to know you find it useful!

      Reply
  3. Ryan Avatar
    Ryan

    If access to the REST API is limited to only administrators, what impact does it have to WordPress plugins?

    Reply
    1. Antonio Villegas Avatar
      Antonio Villegas

      Hi Ryan. Nice question! If you limit or completely deactivate the REST API, some plugins may fail. If you’re using plugins that use the REST API, make sure you only limit the endpoints they don’t use (with a plugin like this one). Otherwise they won’t work.

      Reply
  4. Peak Avatar
    Peak

    Cheers for the heads up guys 🙂 Great resource and much appreciated.

    Reply
    1. Antonio Villegas Avatar
      Antonio Villegas

      Thanks!

      Reply
  5. smartDIYer Avatar
    smartDIYer

    Thanks……..Perfect Code

    Reply
  6. supriya sonawane Avatar
    supriya sonawane

    Thank you so much for sharing this code,
    saved my day

    Reply
  7. Ashutosh Singh Avatar
    Ashutosh Singh

    I am using WordPress API in Headless architecture. I have written various API for custom front end. Is there any way to hide the list of all APIs and keep using custom REST APIs.

    Reply
    1. David Aguilera Avatar
      David Aguilera

      I think this is what you need: https://developer.wordpress.org/reference/hooks/rest_index/

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

I have read and agree to the Nelio Software Privacy Policy

Your personal data will be located on SiteGround and will be treated by Nelio Software with the sole purpose of publishing this comment here. The legitimation is carried out through your express consent. Contact us to access, rectify, limit, or delete your data.