The WordPress REST API was introduced in the WordPress core at the end of 2016 with the release of WordPress 4.6. Like all the big changes that appear in the platform, the REST API generated controversy in some and indifference in others.
It’s even possible that you have no idea what it is, but if you have an updated version of WordPress (and you should) you are exposing many aspects of your website publicly through the REST API. Just append the fragment
/wp-json/ to your domain name and visit this URL to see it with your own eyes.
Moreover, do the exercise of visiting the following web URLs and you may be surprised with what you’ll find:
As a result of the first URL you will have a JSON with the data of the users of your web. Notice that user identifiers are included there, and this is something that people traditionally hide due to security issues and to prevent possible attacks.
The second URL shows us a list with the last posts. However, if you have protected content that only certain premium users of your website (in a membership site, for example) should have access to, it’s possible that you’ve been exposing this premium content through the REST API.
Let’s see how we can avoid compromised situations by being more aware of what we publicly expose through the WordPress REST API.
Show WordPress REST API Only to Registered Users
A solution that we can implement to hide the WordPress REST API is to prevent those users who are not registered on our website from accessing it.
To hide the REST API to unregistered users, we must add the following code in our WordPress. Remember that you can put it in the
functions.php file of your theme or just develop a plugin for it (a much better option).
Once you have put this code in your WordPress, accessing a route of the REST API on your website while not logged in will result in an error message. Your content is now protected.
Show WordPress REST API Only to Administrators
Now imagine that what you want is that only users with the Administrator role in your WordPress can access the REST API. In this case, the code you have to use is the following:
Basically, we simply added a new check:
current_user_can. If you want to check with a different role than the administrator, you just need to make the corresponding change in this function.
If you can think of a better way to avoid accessing the WordPress REST API, or in your case you do it differently, do not hesitate to leave a comment below ☺️
Plugins to Disable The REST API in WordPress
In case you want to make more complex changes, you have the possibility to use plugins to disable the REST API in WordPress.
By default, this plugin already prevents unregistered users from accessing the REST API of your WordPress. And in addition to it, the Disable REST API plugin allows you to select which API routes are active and which ones you want to disable on your website.
This way, controlling which data and information is public on your website through the WordPress REST API is tremendously simple.