WordPress version 4.4 and onwards include REST API infrastructure in the core.
What does this mean for your website’s security? How to disable WP API JSON in WordPress? Read on to find out.
What is the REST API?
REST is short for Representational State Transfer. It is a standard client-server protocol that makes your website available as a web service. This means, that other applications or websites can retrieve information available on your website without a browser to access the website.
To retrieve information from a target website you just need to send a specific HTTP GET request. This request is understood by REST and executed.
The REST architecture uses multiple formats such as plain text, HTML, JSON, XML, YAML, etc to deliver requested data.
Let’s discuss the security risk and how you can disable WP API JSON.
Security Risks Posed by WP API JSON
1. Website User Data Disclosure
See the picture below.
On sending an HTTP GET request wptesting.com/wp-json/wp/v2/users, we get the list of all the users on the website. Notice that the REST renders the ID number, name, URL, description, link, slug, avatar_urls, meta, and more.
The name says, “Example” because we modified the information just to give you an example. As you can see, an enabled REST API gives away all user information except maybe the password and username. This could lead to a serious privacy breach issue if exploited.
2. Web Content Subjected to Scraping/Plagiarism
REST API can get you a list of all the posts saved on a website. You just have to pass a calculated request. See the following example.
From posts, pages, categories, tags, comments to taxonomies, media, users, settings, and more; REST could make everything available to anyone.
The information retrieved is already publicly available but the REST API parses it in such a way that it is easy for other automated forms to read it.
How to Disable WP API JSON?
Before you disable WP API JSON, make sure none of your plugins are using REST API.
Disable WP API with WP Hardening Plugin
With Astra’s free WP Hardening Plugin you can disable WP REST API with a single click. This is how:
- Install WP Hardening Plugin and activate it.
- Go to the ‘Security Fixers‘ tab.
- Toggle the key next to ‘Disable WP API JSON‘
- That’s all, you are done 🙂
Yes, disabling WP JSON is that easy with this plugin. You can also secure 12 other areas of your WordPress website with just a click. This plugin is a time-efficient tool and is perfect for people from a non-tech background.
Disable WP API Manually
This method is suggested for an only experienced coder who understands the implications of the changes and will be able to reverse the changes if required.
Add this code to your theme’s functions.php file or in a site-specific plugin:
add_filter('json_enabled', '__return_false');
add_filter('json_jsonp_enabled', '__return_false');
Note: This works only on WordPress versions less than 4.7.
Have any questions to ask? Comment below and we promise to reply 🙂
Aakanchha Keshri
Hey Aakanchha,
Thanks for the info! What if we didn’t want to disable the API categorically, but get the info on lockdown in a way that’s still useful to us but not available to unauthorized connections?