Disable the use of the REST API on your website to site users. Now with User Role support!
The most comprehensive plugin for controlling access to the WordPress REST API!
Works as a “set it and forget it” install. Just upload and activate, and the entire REST API will be inaccessible to your general site visitors.
But if you do need to grant access to some endpoints, you can do that too. Go to the Settings page and you can quickly whitelist individual endpoints (or entire branches of endpoints) in the REST API.
You can even do this on a per-user-role basis, so your unauthenticated users have one set of rules while WooCommerce customers have another while Subscribers and Editors and Admins all have their own. NOTE: Out of the box, all defined user roles will still be granted full access to the REST API until you choose to manage those settings.
For most versions of WordPress, this plugin will return an authentication error if a user is not allowed to access an endpoint. For legacy support, WordPress 4.4, 4.5, and 4.6 use the provided rest_enabled
filter to disable the entire REST API.
disable-json-api
directory to the /wp-content/plugins/
directory via FTPdisable-json-api_v#.#.zip
file to the ‘Plugins->Add New’ page in your WordPress admin areaThe JSON returned by a website with the API disabled via filters (WP versions 4.4, 4.5, 4.6)
The JSON returned by a website with the API disabled via authentication methods (WP versions 4.7+)
The Settings page lets you selectively whitelist endpoints registered with the REST API, on a per-user-role basis.
While logged into WordPress as any user, the REST API will function as intended. Because of this, you must use a new browser – or Chrome’s incognito mode – to test your website with a clean session. Go to yourdomain.com/wp-json/ (or yourdomain.com/?rest_route=/ if you have pretty permalinks disabled) while NOT LOGGED IN to test the results. You will see an authentication error returned if the plugin is active. “DRA: Only authenticated users can access the REST API.”
This plugin is ONLY meant to disable endpoints accessible via the core REST API that is part of WordPress itself. If a plugin or theme has implemented their own REST API (not to be confused with implementing their own endpoints within the WordPress API) this plugin will have no effect.
dra_error_message
filter so devs can customize the access error messageload_plugin_textdomain()
for i18ndra_allow_rest_api
filter to the is_logged_in() check, so developers can get more granular with permissions