Disable WordPress REST API


Since version 4.4 WordPress has a REST API.

That means the content of the wordpress page can be accessed directly. This feature is usefull if you need the content of your database in third party applications.

I advice everybody who is not actively using the wordpress REST API (or planning on using it) to disable it. It’s one securityrisk less to worry about.


add_filter('json_enabled', '__return_false'); 
add_filter('json_jsonp_enabled', '__return_false');

Just add these two lines of code to your functions.php and the API is disabled. If you are unsure on how to edit the functions.php or don’t feel comofortible editing your theme you can install this plugin to do the same: https://wordpress.org/plugins/disable-json-api/

What can be done with the wordpress REST API?

As long as everything is correctly programmed the API should not pose a security risk. But better be safe than sorry.

One thing the REST API could be used for, is to post comments to your blog.

By appending these get-Parameters to a URL, you would post a comment to a wordpress blog post.

/wp-json/wp/v2/comments?author=Author%20Slug&[email protected]&author_name=Author%20Name&content=Write%20A%20Comment&post=Id%20of%20Post

By disabling the API you might reduce Spam.


Please enter your comment!
Please enter your name here