I am considering to improve security of my Wordpress website, and in doing so have come across WP REST API being enabled by default (since WP 4.4 if I'm not mistaken).
What is a safe way to disable it?
By "safe" here I mean that it does not cause unexpected side-effects, e.g. does not break any other WP core functionality.
One possible approach would be to use .htaccess
rewrite rules, but surprisingly I haven't found any 'official' instructions on doing so.
Any help or recommendation is greatly appreciated :)
Update: 3rd-party plugins is not the solution I am looking for. Although I'm aware there are plenty of them that solve the task, they include many extra features that slow down the website. I would hope there is a one-line solution to this problem without the overhead of an extra plugin.
Update 2: Here is the official opinion of Wordpress: https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api
According to this, the Wordpress team wants future WP functionality to depend on the new REST API. This means there is no guaranteed safe way to disable the REST API.
Let's just hope there are enough security experts taking care of WP security.
Update 3:
A workaround is presented in WordPress API Handbook - you can Require Authentication for All Requests
This makes sure that anonymous access to your website's REST API is disabled, only authenticated requests will work.
More precisely, it allows you to specify which routes can be accessed by unauthenticated users or users with specific user roles. To set this, navigate to Settings > Disable REST API. Then choose the appropriate user type with the Rules for: option and set the rules you want in the Manage Rules section below.
Almost any website has the API exposed and visiting /wp-json/wp/v2/users helps me find easily which users are registered. This should be considered a security issue, not because of the technical difficulties, but because a lot (if not the whole) of the information from the website is exposed.
REST API Authentication will make your WordPress login endpoints secure from unauthorized access. You can protect api with ease and in a highly secure way using this plugin.
From the author original question I've chosen option 2 that came from wordpress official recommendations(https://developer.wordpress.org/rest-api/using-the-rest-api/frequently-asked-questions/#can-i-disable-the-rest-api). So just put in your functions.php to let only logged in users use the rest api (but just cross check original link in case my code block is outdated ;) ): UPD(01-10-2021):
add_filter( 'rest_authentication_errors', function( $result ) { // If a previous authentication check was applied, // pass that result along without modification. if ( true === $result || is_wp_error( $result ) ) { return $result; } // No authentication has been performed yet. // Return an error if user is not logged in. if ( ! is_user_logged_in() ) { return new WP_Error( 'rest_not_logged_in', __( 'You are not currently logged in.' ), array( 'status' => 401 ) ); } // Our custom authentication check should have no effect // on logged-in requests return $result; });
You can disable it for requests other than localhost:
function restrict_rest_api_to_localhost() { $whitelist = [ '127.0.0.1', "::1" ]; if( ! in_array($_SERVER['REMOTE_ADDR'], $whitelist ) ){ die( 'REST API is disabled.' ); } } add_action( 'rest_api_init', 'restrict_rest_api_to_localhost', 0 );
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With