WordPress comes pre-packaged with a robust REST API that’s great for certain use cases, but it also poses some security risks and concerns. If I’m you’re not using the REST API actively, it may be best to disable it. There is a plugin that will do this for you called Disable REST API, but it’s very bloated.

If all you want to do is disable the build-in WordPress REST API and all associated requests located under /wp-json, you can do this with the following function:

 * Disable JSON API
 * We don't need it, so let's remove it.
function kl_kill_wp_json_api() {
    $request_uri = esc_attr( $_SERVER['REQUEST_URI'] );

    if ( substr( $request_uri, 0, 8 ) === '/wp-json' )
        wp_die( 'The WP REST API is not available on this site.' );
add_action( 'init', 'kl_kill_wp_json_api', 99 );

Installing a plugin for anything and everything can quickly lead to a slow, difficult to maintain WordPress website. Whenever possible I highly recommend using minimal, simple approaches inside of a single functionality plugin.

About the Author

Kevin Leary is a freelance developer in Boston, MA with a strong portfolio of work, and over 13 years of experience as a programming consultant and digital strategy provider. Interested in working together? Hire me for your next project.