Blog, WordPress

Disable The WordPress Rest API

The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON (JavaScript Object Notation) objects. Since version 4.7 of the platform, the API is available by default without need for a plugin. If you're new to the API concept and you'd like to see an example of returned data (and assuming you're using an up-to-date version of WordPress), visit the following URL in your browser: http://www.YourDomain.com/wp-json/wp/v2/posts/ (replace YourDomain.com with your own domain).

The REST API is brilliant. It's a platform agnostic API that can be built into any application in any number of ways. For developers, the API has introduced the opportunity to build applications that weren't possible via the XML-RPC functionality (made available in WordPress 3.4, and turned on by default since WordPress 3.5). We've integrated the API into our Social Media and Marketing Platform to communicate with our client websites, and we're slowly doing away with the features and functions that relied on older methods.

If you're not using the REST API, it's best to disable the feature. Leaving it exposed makes all your data available in a way that gives RSS -scrapers gooey night-dreams, and it opens up your site to usage outside of your control. The three example WordPress filters that follow are written to limit API usage in different ways. If you're not using the API and don't want anybody else snooping around, we have a plugin download below that completely disables the feature.

Disable All REST API Access

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

<?php

Remove the WP REST API JSON Endpoints for all users

function beliefmedia_disable_rest_api($access) {

return new WP_Error( 'no_access_granted', 'Bye', array( 'status' => 403 ) );

}

add_filter( 'rest_authentication_errors', beliefmedia_disable_rest_api);

Disable Endpoints for Logged Out Users

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

<?php

Enable the WP REST API JSON Endpoints for Logged In Users

function beliefmedia_only_allow_logged_in_restapi($access) {

if (!is_user_logged_in()) {

return new WP_Error( 'no_access_granted', 'Not logged in', array( 'status' => 403 ) );

}

return $access;

}

add_filter( 'rest_authentication_errors', 'beliefmedia_only_allow_logged_in_restapi');

Enable Endpoints With Valid API Key

The following is a basic example. A more robust means of authentication is expected (perhaps integrated into user options). WordPress recommends OAuth authentication, application passwords, or basic authentication for external applications, and cookie-based authentication for internal plugins. Depending upon your application, you might also consider measuring or rate-limiting user usage.

Copy and paste the WordPress function into your theme's functions.php file or, if you sensibly have one installed, your custom functions plugin.

<?php

Enable the WP REST API JSON Endpoints with valid Key

function beliefmedia_check_rest_apikey($access) {

$api_key = '123456';

$apikey = $_GET['apikey'];

if ($apikey != $api_key) return new WP_Error( 'no_access_granted', 'Invalid API Key', array( 'status' => 403 ) );

else return $access;

}

add_filter( 'rest_authentication_errors', beliefmedia_check_rest_apikey);

The &apikey=123456 should be appended to all your requests. You may also pass credentials or an API key in the header request as follows:

<?php

$headers = array (

'Authorization' => 'Basic ' . base64_encode( 'username:password' ),

);

$response = wp_remote_request('http://www.YourDomain.com/wp-json/posts/1234/', array(

'method' => 'DELETE',

'headers' => $headers

));

The above example will delete a post with ID of 1234 (obviously authentication is required for such actions). However, passing usernames and passwords is a less-than-ideal means of accomplishing the task. Passing a public encryption key that is interpreted server-side might mitigate some of the risks with this method... however, it's beyond the scope of this article.

Actions

If you're removing the API completely, the following will remove additional API features.

<?php

remove_action('wp_head', 'rest_output_link_wp_head');

remove_action('wp_head', 'wp_oembed_add_discovery_links');

remove_action('template_redirect', 'rest_output_link_header');

Resource

WP REST API Handbook .
XML-RPC on WP.org .
Older legacy resources, including V1 docs.
WordPress rest_* filters and functions.
Rest Authentication Filter .

We'll share lots of funky API functions in the future.

Download Plugin

The plugin is intended for those that wish to disable the WordPress REST API features to all users. If you're a client, do not install this; our plugin disables access to unauthorized applications and white-lists our platform.

Title: Disable The WordPress Rest API (WP Plugin)
Description: Disable access to the WordPress REST API.
Download • Version 0.1, 1.4K, zip, Category: WordPress Plugins (General)

■ ■ ■

Download our complimentary 650-page guide on marketing for mortgage brokers. We'll show you exactly how we generate billions in volume for our clients.