Disable REST API
Full REST API control. Per-role. Zero frontend footprint.
Block, restrict, or whitelist WordPress REST API endpoints per user role. Auto-discovers endpoints, smart defaults for CF7 and WooCommerce, import/export settings. Zero frontend footprint.
Features
What Disable REST API Does
Built for performance, designed for simplicity.
Overview
Why Disable REST API?
By default, WordPress exposes a REST API to the public that can reveal usernames, post data, and site structure to anyone. MaxtDesign Disable REST API gives you complete control over who can access the API and which endpoints are available.
The plugin uses the rest_authentication_errors filter — the correct, modern WordPress approach — to intercept REST API requests early in the lifecycle, before any endpoint logic executes. Blocked requests have virtually zero performance impact. It auto-discovers all registered REST API endpoints and presents them in a collapsible namespace tree with per-namespace and per-route checkboxes.
Smart defaults detect Contact Form 7 and WooCommerce on activation and automatically whitelist their required endpoints. Per-role controls let you restrict specific user roles (subscriber, contributor, author) while keeping full access for administrators. Each restricted role gets its own endpoint whitelist.
Zero frontend footprint means no CSS, no JavaScript, and no HTTP requests are added to your public-facing pages. Admin assets load only on the plugin's own settings page. A single autoloaded database option means no extra queries. Settings can be exported as JSON and imported on other sites.
Requirements
- WordPress 6.4 or higher
- PHP 8.2 or higher
FAQ
Frequently Asked Questions
Can't find what you're looking for? Check the documentation or open an issue on GitHub.
Changelog
What's New
- CRITICAL FIX: the REST API root index (/wp-json/) is now blocked when "Disable REST API for unauthenticated users" is on. Previously, the controller's route-lookup returned an empty string for the root index and the code took an early fail-open branch — meaning the most-scraped discovery URL was always exposed even when the plugin was active. Logged-out visitors and unauthenticated scrapers now hit the configured error response on /wp-json/ like any other endpoint
- WordPress 7.0 "Armstrong" compatibility confirmed
- Hardening: import-settings now validates uploads with is_uploaded_file() and reads the temp file directly instead of mis-sanitising the server-generated path
- Hardening: activation hook defensively loads wp-admin/includes/plugin.php before calling is_plugin_active() so WP-CLI and multisite bulk-activate paths can't fatal
- Fix: the "this plugin requires REST API access" compatibility notice no longer fires for plugins whose namespaces aren't actually registered on the site (e.g. WooCommerce installed but Store API blocks not loaded)
- Initial release
- Global REST API toggle for unauthenticated users
- Auto-discovery of all registered REST API endpoints
- Endpoint whitelisting with collapsible namespace tree
- Per-role REST API access controls with individual whitelists
- Smart defaults for Contact Form 7 and WooCommerce
- Custom error message configuration
- Settings import/export as JSON
- Reset to defaults with confirmation
- Clean uninstall with multisite support
Documentation & Support
Step-by-step guides, configuration help, and issue tracking on GitHub.
Open Source on GitHub
View the source, report bugs, or contribute. This plugin is free and open source under the GPL.
Need Something Custom?
We build custom WordPress plugins tailored to your exact requirements.