Quickly Disable the WordPress  API

Simple, effective way to disable the WordPress REST API if you're not using it.

WordPress comes pre-packaged with a robust REST API that’s great for certain use cases, but it also poses some security risks and concerns. If I’m you’re not using the REST API actively, it may be best to disable it. There is a plugin that will do this for you called Disable REST API, but it’s very bloated.

If all you want to do is disable the build-in WordPress REST API and all associated requests located under /wp-json, you can do this with the following function:

/**
 * Disable JSON API
 *
 * We don't need it, so let's remove it.
 */
function kl_kill_wp_json_api() {
    $request_uri = esc_attr( $_SERVER['REQUEST_URI'] );

    if ( substr( $request_uri, 0, 8 ) === '/wp-json' )
        wp_die( 'The WP REST API is not available on this site.' );
}
add_action( 'init', 'kl_kill_wp_json_api', 99 );

Installing a plugin for anything and everything can quickly lead to a slow, difficult to maintain WordPress website. Whenever possible I highly recommend using minimal, simple approaches inside of a single functionality plugin.

Meet the Author

Kevin Leary, WordPress Consultant

I'm a freelance web developer and WordPress consultant in Boston, MA with 17 years of experience building websites and applications. View a portfolio of my work or request an estimate for your next project.