Knowledge Base

How to Disable WP JSON API in WordPress?

Updated on: March 29, 2020

How to Disable WP JSON API in WordPress?

WordPress version 4.4 and onwards include REST API infrastructure in the core.

What does this mean for your website’s security? How to disable WP API JSON in WordPress? Read on to find out.

What is the REST API?

REST is short for Representational State Transfer. It is a standard client-server protocol that makes your website available as a web service. This means, that other applications or websites can retrieve information available on your website without a browser to access the website.

To retrieve information from a target website you just need to send a specific HTTP GET request. This request is understood by REST and executed.

The REST architecture uses multiple formats such as plain text, HTML, JSON, XML, YAML, etc to deliver requested data.

Let’s discuss the security risk and how you can disable WP API JSON.

Security Risks Posed by WP API JSON

1. Website User Data Disclosure

See the picture below.

On sending an HTTP GET request, we get the list of all the users on the website. Notice that the REST renders the ID number, name, URL, description, link, slug, avatar_urls, meta, and more.

The name says, “Example” because we modified the information just to give you an example. As you can see, an enabled REST API gives away all user information except maybe the password and username. This could lead to a serious privacy breach issue if exploited.

2. Web Content Subjected to Scraping/Plagiarism

REST API can get you a list of all the posts saved on a website. You just have to pass a calculated request. See the following example.

From posts, pages, categories, tags, comments to taxonomies, media, users, settings, and more; REST could make everything available to anyone.

The information retrieved is already publicly available but the REST API parses it in such a way that it is easy for other automated forms to read it.

How to Disable WP API JSON?

Before you disable WP API JSON, make sure none of your plugins are using REST API.

Disable WP API with WP Hardening Plugin

With Astra’s free WP Hardening Plugin you can disable WP REST API with a single click. This is how:

  1. Install WP Hardening Plugin and activate it.
  2. Go to the ‘Security Fixers‘ tab.
  3. Toggle the key next to ‘Disable WP API JSON
  4. That’s all, you are done 🙂

Yes, disabling WP JSON is that easy with this plugin. You can also secure 12 other areas of your WordPress website with just a click. This plugin is a time-efficient tool and is perfect for people from a non-tech background.

Disable WP API Manually

This method is suggested for an only experienced coder who understands the implications of the changes and will be able to reverse the changes if required.

Add this code to your theme’s functions.php file or in a site-specific plugin:

add_filter('json_enabled', '__return_false');
add_filter('json_jsonp_enabled', '__return_false');

Note: This works only on WordPress versions less than 4.7.

Have any questions to ask? Comment below and we promise to reply 🙂

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
2 years ago

Hey Aakanchha,

Thanks for the info! What if we didn’t want to disable the API categorically, but get the info on lockdown in a way that’s still useful to us but not available to unauthorized connections?

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany