As of WordPress 4.7, the highly anticipated REST API is now part of core. With it comes the ability to freely access website data in the form of JSON responses.
The core endpoints allow for accessing data for things like posts, comments and more. Very importantly (and rather disturbingly) is that most of the data can be accessed without any authentication. Simply enter a URL with the proper query arguments and you have a nice JSON object full of data! For some data, like posts, this may or may not be a big deal.
For any website that has any reason to maintain a level of protection for its users, the default REST API is cause for concern because it makes public some of the data of your users. While this data may not be the most sensitive, we feel that no user data should be made available by default.
There are a lot of websites out there that do not need the REST API and would prefer to disable it. However, there’s no builtin option to do that.
Below is a simple code snippet that will effectively render the WordPress REST API disabled by returning an instance of WP_Error when it hits the authentication process. Place it in a custom plugin and activate the plugin like normal.
<php
/*
* Disable the WP REST API
*/
add_filter( 'rest_authentication_errors', 'ultimatewoo_disable_rest_api' );
function ultimatewoo_disable_rest_api( $access ) {
return new WP_Error( 'rest_disabled', __( 'The REST API on this site has been disabled.' ), array( 'status' => rest_authorization_required_code() ) );
}
“Place it in a custom plugin and activate the plugin like normal.”
Could it go in a custom functions file?
Sure!
Thanks man, I wasn’t aware of the rest_authentication_errors filter, much easier and better method than what I was doing 😉
Terrific! Glad to hear it helped.
Thank you, I pasted it in my child themes functions.php file and it worked perfectly.
Do you know if this will affect woocommerce if you turn off the REST API? This morning, found some evidence that somebody used the woocommerce REST API to create some fake orders. Highly disturbing…
The WooCommerce REST API can be enabled or disabled from the WooCommerce settings. It is also based on authentication, so the only way orders could be created like that is if someone had valid API keys. This link contains documentation related to the WooCommerce REST API.
https://docs.woocommerce.com/document/woocommerce-rest-api/