Name: Disable WP REST API
Rating: 4.8 (36 reviews)

Beschreibung

Does one thing: Completely disables the WordPress REST API for visitors who are not logged into WordPress. No configuration required.

Important: This plugin completely disables the WP REST API for visitors who are NOT logged in to WordPress. So not recommended if your site needs the WP REST API for any non-logged users.

👉 The fast, simple way to prevent abuse of your site’s REST/JSON API
👉 Protects your site’s REST data from all non-logged users and bots
👉 Uses only 4KB of code, so super lightweight, fast, and effective

Funktionen

Disable REST/JSON for visitors (not logged in)
Disables REST header in HTTP response for all users
Disables REST links in HTML head for all users
100% plug-and-play, set-it-and-forget solution

How does it work?

This plugin completely disables the WP REST API unless the user is logged into WordPress.

For logged-in users, WP REST API works normally
For logged-out users, WP REST API is disabled

What happens if logged-out visitor makes a JSON/REST request? They will get only a simple message:

rest_login_required: REST API restricted to authenticated users.

This message may customized via the filter hook, disable_wp_rest_api_error. Check out this post for an example of how to do it.

Datenschutz

Dieses Plugin sammelt und speichert keine Benutzerdaten. Es setzt keine Cookies und es verbindet sich zu keinen Drittanbietern. Daher beeinträchtigt dieses Plugin die Privatsphäre des Benutzers in keiner Weise. Wenn überhaupt, dann verbessert es die Privatsphäre des Benutzers, da es potenziell sensible Informationen vor der Anzeige/Aufruf durch die RESP API schützt.

Disable WP REST API is developed and maintained by Jeff Starr, 15-year WordPress developer and book author.

Support development of this plugin

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

BBQ Pro – Blazing fast WordPress firewall
Blackhole Pro – Automatically block bad bots
Banhammer Pro – Monitor traffic and ban the bad guys
GA Google Analytics Pro – Connect WordPress to Google Analytics
Head Meta Pro – Ultimate Meta Tags for WordPress
Simple Ajax Chat Pro – Unlimited chat rooms
USP Pro – Unlimited front-end forms

Links, tweets and likes also appreciated. Thank you! 🙂

Installation

How to Install

Upload the plugin to your blog and activate
Done! No further configuration is required.

More info on installing WP plugins

Testing

To test that the plugin is working, log out of WordPress and then request https://example.com/wp-json/ in a browser. See FAQs for more infos.

Gefällt dir das Plugin?

If you like Disable WP REST API, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

Uninstalling

To uninstall/remove the plugin, visit the Plugins screen, deactivate and delete the plugin. This plugin makes no changes to the WP database.

FAQ

Why would anyone want to disable the REST API?

Technically this plugin disables REST API only for visitors who are not logged into WordPress. With that in mind, here are some good reasons why someone would want to disable REST API for non-logged users:

The REST API may not be needed for non-logged users
Disabling the REST API conserves server resources
Disabling the REST API minimizes potential attack vectors
Disabling the REST API prevents content scraping and plagiarism

I’m sure there are other valid reasons, but you get the idea 🙂

What is the default access-denied message?

When the user is logged in to WordPress, the normal REST API data will be displayed. When the user is not logged in, this is the default message:

{"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}

How do I test that REST is disabled?

Testing is easy:

Von WordPress abmelden
Using a browser, request https://example.com/wp-json/

If you see the following message, REST is disabled:

„rest_login_required: REST API restricted to authenticated users.“

Then if you log back in and make a new request for https://example.com/wp-json/, you will see that REST is working normally.

Does it disable REST functionality added by other plugins?

Yes. If the user is NOT logged in, this plugin disables ALL endpoints that are registered with the WP REST API. Otherwise, if the user IS logged in, then this plugin does not block anything.

Funktioniert es mit dem Gutenberg/Block Editor?

Yes. It works the same regardless of which editor (Classic or Block) you are using.

Wie kannst du die Fehlermeldung anpassen?

By default the plugin displays a message for unauthenticated users: „REST API restricted to authenticated users.“ To customize that message to whatever you want, add the following code via functions.php or simple custom plugin:

function disable_wp_rest_api_error_custom($message) {

    return 'Customize your message here.'; // change this to whatever you want

}
add_filter('disable_wp_rest_api_error', 'disable_wp_rest_api_error_custom');

Wie wird der Zugriff für Contact Form 7 zugelassen?

As explained in this thread, the plugin Contact Form 7 requires REST API access in order for the contact form to work. To allow for this, follow this guide.

Hast du Fragen?

Sende Fragen und Feedback über mein Kontaktformular

Rezensionen

pftsoi 8. September 2025

good job

terrymason 19. November 2024

just activate the plugin and it works.

wildstar2022 6. Mai 2024

I’ve tried many different solutions using functions.php because I did not want to install yet another plugin. I’m glad I found this one though. It’s simple, lightweight, maintains privacy, and functions with the latest version of WordPress. Thanks Jeff!

metaeditor 29. März 2023

In generel a Good security concept . But at the other end many plugin developer use the Rest API Could be done much easier with a 5 3 line htaccess rule to block only ^.*wp-json/wp/v2/(users But anyway a good solution if you have a simpel installation.

Hendrik57 12. Februar 2023 6 Antworten

As the title says: Blocks Contact Form 7 forms sending after install and activate.

tinaponting 29. Dezember 2024

Great plugin, takes nopower from the blog:)

Alle 36 Rezensionen lesen

Mitwirkende und Entwickler

„Disable WP REST API“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:

Jeff Starr

„Disable WP REST API“ wurde in 8 Sprachen übersetzt. Danke an die Übersetzer für ihre Mitwirkung.

Übersetze „Disable WP REST API“ in deine Sprache.

Interessiert an der Entwicklung?

Durchstöbere den Code, sieh dir das SVN-Repository an oder abonniere das Entwicklungsprotokoll per RSS.

Änderungsprotokoll

If you like Disable WP REST API, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

2.6.7

Adds GNU/GPL license information
Improves readme.txt documentation
Tests on PHP 8.4 and 8.5
Tests on WordPress 6.9

Full changelog @ https://plugin-planet.com/wp/changelog/disable-wp-rest-api.txt

good job

Very simple and effective

I like it!

Good Stuff – but make many other things more complicate

Blocks Contact Form 7 forms sending

Super simple plugin

Beschreibung

Funktionen

Datenschutz

Support development of this plugin

Installation

FAQ

Why would anyone want to disable the REST API?

What is the default access-denied message?

How do I test that REST is disabled?

Does it disable REST functionality added by other plugins?

Funktioniert es mit dem Gutenberg/Block Editor?

Wie kannst du die Fehlermeldung anpassen?

Wie wird der Zugriff für Contact Form 7 zugelassen?

Hast du Fragen?

Rezensionen

Mitwirkende und Entwickler

Interessiert an der Entwicklung?

Änderungsprotokoll

2.6.7

Meta

Bewertungen

Mitwirkende

Support

Spenden