WordPress: Disable REST API – Restrict Access

According to the official WordPress recommendations you should not disable the WordPress REST API as this will break the “WordPress Admin” functionality.

For example, the WordPress Block Editor requires the WordPress REST API and if you disable it you won’t be able to publish or update your posts anymore.

However, you can use a filter to require that API consumers be authenticated, which effectively prevents anonymous external access.

Restrict Access to WordPress REST API

To disable the WordPress REST API for the anonymous users, you can require authentication for all REST API requests by adding an is_user_logged_in check to the rest_authentication_errors filter in a child theme’s functions.php file.

To edit this file, you can log in to your WordPress “Dashboard”, in the left sidebar hover over the “Appearance” and click on the “Theme Editor”.

Then, on the right, under the “Theme Files”, select the “Theme Functions (functions.php)”.

This will bring you up to the functions.php code editor.

Alternatively you can access the functions.php file over FTP or SSH on this path:

/wp-content/themes/<child_theme>/functions.php

To restrict access to the WordPress REST API, simply copy/paste the code below to your WordPress child theme’s functions.php file:

<?php
    add_filter( 'rest_authentication_errors', function( $result ) {
        // If a previous authentication check was applied,
        // pass that result along without modification.
        if ( true === $result || is_wp_error( $result ) ) {
            return $result;
        }
     
        // No authentication has been performed yet.
        // Return an error if user is not logged in.
        if ( ! is_user_logged_in() ) {
            return new WP_Error(
                'rest_not_logged_in',
                __( 'You are not currently logged in.' ),
                array( 'status' => 401 )
            );
        }
     
        // Our custom authentication check should have no effect
        // on logged-in requests
        return $result;
    });
?>

After saving this code to the functions.php file, the anonymous users should see the following error if they try to consume the REST API of your WordPress website:

{
   "code":"rest_not_logged_in",
   "message":"You are not currently logged in.",
   "data":{"status":401}
}

To check this by yourself you can open the following URL in the incognito/private window of your web-browser: https://<your-website>/wp-json/.

  • 0 Utilizadores acharam útil
Esta resposta foi útil?

Artigos Relacionados

How to Change the Display Name of a WordPress User Account?

You can change the display name of your WordPress account which show on a WordPress post or...

How to add a new category in WordPress?

1. Login to your WordPress admin dashboard.2. Under the dashboard menu, hover your mouse on Posts...

How to remove the Uncategorized category from WordPress?

You can not remove "Uncategorized" Category but you can rename it1. Login to your WordPress admin...

How to remove a category in WordPress?

If you want to remove WordPress category then follow this instruction:1. Login to your WordPress...

How to Install a New Theme in WordPress?

You can install a new WordPress theme without having any technical knowledge. It"s so easy and...