The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON objects.

This is done by mapping different endpoints through a URI, such as:

https://performwp.com/wp-json/

While the WordPress REST API is great, one problem is that by default, it leaves the usernames of anyone who has published on your WordPress site wide open via the following URL:

https://performwp.com/wp-json/wp/v2/users

This might not be something you want everyone to know. Why? Because someone could then start guessing passwords (brute-force attack) against all the usernames on your WordPress site. Hopefully your authors, contributors, and administrators are using secure passwords, but still, having your username list wide open isn’t ideal.

Therefore, we now have an option in the Perform plugin that you can disable the WordPress REST API.

What Uses the REST API?

Due to the fact that there are plugins, services, and apps that utilize the REST API, you don’t want to completely disable the REST API, therefore we have built in a permission model. Here are a few examples of things that use the REST API:

  • Yoast SEO and Ryte dashboard widget
  • Some specific WooCommerce dashboard widgets
  • The new Gutenberg block editor uses the REST API to communicate when you make page and post edits. If you disable it completely you will get an error: “Updating failed.”

Therefore, we have different permissions you can use. For example, you can select the option to “Disable for Non-Admins” or “Disable When Logged Out.”

How to Disable the WordPress REST API

To disable the REST API click into the Perfmatters settings, select an option under “Disable REST API.”

There are three different options. By default, the REST API is enabled. You can then choose to disable it for non-admins (recommended, and what we use), or disable when logged out. If you are working with authors, you will want to leave this enabled.

What this does is disable REST API requests and displays the following error message if the requester doesn’t have permission.

{"code":"rest_authentication_error","message":"Sorry, you do not have permission to make REST API requests.","data":{"status":401}}

You can also remove the REST API links from your WordPress site’s front-end code. Check out our article on how to remove WordPress REST API links.