RBA Cash Rate: 4.35% · 1AUD = 0.67 USD · Inflation: 5.4%  
Leading Digital Marketing Experts | 1300 235 433 | Aggregation Enquires Welcome | Book Appointment
1300235433
Example Interest Rates: Home Loan Variable: 5.20% (5.24%*) • Home Loan Fixed: 5.39% (6.11%*) • Fixed: 5.39% (6.11%*) • Variable: 5.20% (5.24%*) • Investment IO: 5.63% (6.88%*) • Investment PI: 5.49% (6.32%*)

Disable The WordPress Rest API

BeliefMedia Logo
1300235433

Disable The WordPress Rest API

The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON (JavaScript Object Notation) objects. Since version 4.7 of the platform, the API is available by default without need for a plugin. If you're new to the API concept and you'd like to see an example of returned data (and assuming you're using an up-to-date version of WordPress), visit the following URL in your browser: http://www.YourDomain.com/wp-json/wp/v2/posts/ (replace YourDomain.com with your own domain).

The REST API is brilliant. It's a platform agnostic API that can be built into any application in any number of ways. For developers, the API has introduced the opportunity to build applications that weren't possible via the XML-RPC functionality (made available in WordPress 3.4, and turned on by default since WordPress 3.5). We've integrated the API into our Social Media and Marketing Platform to communicate with our client websites, and we're slowly doing away with the features and functions that relied on older methods.

If you're not using the REST API, it's best to disable the feature. Leaving it exposed makes all your data available in a way that gives RSS -scrapers gooey night-dreams, and it opens up your site to usage outside of your control. The three example WordPress filters that follow are written to limit API usage in different ways. If you're not using the API and don't want anybody else snooping around, we have a plugin download below that completely disables the feature.

Disable All REST API Access

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

1
<?php 
2
/*
3
 Remove the WP REST API JSON Endpoints for all users
4
*/
5
 
6
function beliefmedia_disable_rest_api($access) {
7
  return new WP_Error( 'no_access_granted', 'Bye', array( 'status' => 403 ) );
8
}
9
add_filter( 'rest_authentication_errors', beliefmedia_disable_rest_api);

Disable Endpoints for Logged Out Users

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

1
<?php 
2
/*
3
 Enable the WP REST API JSON Endpoints for Logged In Users
4
*/
5
 
6
function beliefmedia_only_allow_logged_in_restapi($access) {
7
  if (!is_user_logged_in()) {
8
    return new WP_Error( 'no_access_granted', 'Not logged in', array( 'status' => 403 ) );
9
  }
10
 return $access;
11
}
12
add_filter( 'rest_authentication_errors', 'beliefmedia_only_allow_logged_in_restapi');

Enable Endpoints With Valid API Key

The following is a basic example. A more robust means of authentication is expected (perhaps integrated into user options). WordPress recommends OAuth authentication, application passwords, or basic authentication for external applications, and cookie-based authentication for internal plugins. Depending upon your application, you might also consider measuring or rate-limiting user usage.

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

1
<?php 
2
/*
3
 Enable the WP REST API JSON Endpoints with valid Key
4
*/
5
 
6
function beliefmedia_check_rest_apikey($access) {
7
  $api_key = '123456';
8
  $apikey = $_GET['apikey'];
9
  if ($apikey != $api_key) return new WP_Error( 'no_access_granted', 'Invalid API Key', array( 'status' => 403 ) );
10
   else return $access;
11
}
12
add_filter( 'rest_authentication_errors', beliefmedia_check_rest_apikey);

The &apikey=123456 should be appended to all your requests. You may also pass credentials or an API key in the header request as follows:

1
<?php 
2
$headers = array (
3
 'Authorization' => 'Basic ' . base64_encode( 'username:password' ),
4
);
5
 
6
$response = wp_remote_request('http://www.YourDomain.com/wp-json/posts/1234/', array(
7
 'method' => 'DELETE',
8
 'headers' => $headers
9
));

The above example will delete a post with ID of 1234 (obviously authentication is required for such actions). However, passing usernames and passwords is a less-than-ideal means of accomplishing the task. Passing a public encryption key that is interpreted server-side might mitigate some of the risks with this method... however, it's beyond the scope of this article.

Actions

If you're removing the API completely, the following will remove additional API features.

1
<?php 
2
remove_action('wp_head', 'rest_output_link_wp_head');
3
remove_action('wp_head', 'wp_oembed_add_discovery_links');
4
remove_action('template_redirect', 'rest_output_link_header');

Resource

We'll share lots of funky API functions in the future.

Download Plugin

The plugin is intended for those that wish to disable the WordPress REST API features to all users. If you're a client, do not install this; our plugin disables access to unauthorized applications and white-lists our platform.


Title: Disable The WordPress Rest API (WP Plugin)
Description: Disable access to the WordPress REST API.
  Download • Version 0.1, 1.4K, zip, Category: WordPress Plugins (General)

Download our 650-page guide on Finance Marketing. We'll show you exactly how we generate Billions in volume for our clients.

  AUS Eastern Standard Time (Washington)

  Want to have a chat?
 

RELATED READING

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest
Martin Khoury

Martin Khoury

Martin is the Managing Director of BeliefMedia Pty Limited, and Australia's leading Finance Marketing Specialist. He is supported by a team of Australia's finest. Read more about Marty here.

Leave a comment

Call us on 1300 235 433
Enquire Online
Make an Appointment
General Enquires: 1300 235 433Support: (02) 8765 8887
The comparison rate is calculated on a secured loan of $150,000 with a term of 25 years with monthly principal and interest payments. WARNING: This comparison rate is true only for examples given and may not include all fees and charges. Different terms, fees or other loan amounts might result in a different comparison rate. Important Information: Applications are subject to credit approval. Full terms and conditions will be included in our loan offer. Fees and charges are payable. Interest rates are subject to change. Offer does not apply to internal refinances and is not transferable between loans. As this advice has been prepared without considering your objectives, financial situation or needs, you should consider its appropriateness to your circumstances before acting on the advice. [ Example Credit Guide Link ]
Facebook Twitter Youtube Linkedin Facebook-f
    
© BeliefMedia | PrivacyTermsDisclaimer
BeliefMedia Pty Limited