MaxtDesign
PluginsDisable REST API

Disable REST API

Full REST API control. Per-role. Zero frontend footprint.

Block, restrict, or whitelist WordPress REST API endpoints per user role. Auto-discovers endpoints, smart defaults for CF7 and WooCommerce, import/export settings. Zero frontend footprint.

10+ installs
WP 6.4+
PHP 8.2+
Download FreeDocumentation
Disable REST API — Full REST API control. Per-role. Zero frontend footprint.
Open Source

Features

What Disable REST API Does

Built for performance, designed for simplicity.

One-click disable — block all REST API access for unauthenticated users
Endpoint whitelist — auto-discovers all registered REST API endpoints
Collapsible namespace tree with Select All / Deselect All per namespace
Per-role access control — restrict specific roles with individual whitelists
Smart defaults — auto-detects CF7 and WooCommerce and whitelists their endpoints
Custom error message for blocked requests (configurable)
Zero frontend footprint — no CSS, JS, or HTTP requests on public pages
Admin assets load only on the plugin settings page
Single autoloaded database option — no extra queries on any request
Import/Export settings as JSON for multi-site deployment
Reset to defaults with confirmation dialog
Clean uninstall — removes all data including multisite cleanup
Uses rest_authentication_errors filter — blocked requests exit before endpoint logic
Translation-ready with .pot file included
Install Free on WordPress

Overview

Why Disable REST API?

By default, WordPress exposes a REST API to the public that can reveal usernames, post data, and site structure to anyone. MaxtDesign Disable REST API gives you complete control over who can access the API and which endpoints are available.

The plugin uses the rest_authentication_errors filter — the correct, modern WordPress approach — to intercept REST API requests early in the lifecycle, before any endpoint logic executes. Blocked requests have virtually zero performance impact. It auto-discovers all registered REST API endpoints and presents them in a collapsible namespace tree with per-namespace and per-route checkboxes.

Smart defaults detect Contact Form 7 and WooCommerce on activation and automatically whitelist their required endpoints. Per-role controls let you restrict specific user roles (subscriber, contributor, author) while keeping full access for administrators. Each restricted role gets its own endpoint whitelist.

Zero frontend footprint means no CSS, no JavaScript, and no HTTP requests are added to your public-facing pages. Admin assets load only on the plugin's own settings page. A single autoloaded database option means no extra queries. Settings can be exported as JSON and imported on other sites.

Resources

WordPress.org PageView Source CodeFull DocumentationSupport Forum

Requirements

  • WordPress 6.4 or higher
  • PHP 8.2 or higher

FAQ

Common Questions

Can't find what you're looking for? Check the documentation or ask on the support forum.

Changelog

What's New

v1.0.02025-04-10
  • Initial release
  • Global REST API toggle for unauthenticated users
  • Auto-discovery of all registered REST API endpoints
  • Endpoint whitelisting with collapsible namespace tree
  • Per-role REST API access controls with individual whitelists
  • Smart defaults for Contact Form 7 and WooCommerce
  • Custom error message configuration
  • Settings import/export as JSON
  • Reset to defaults with confirmation
  • Clean uninstall with multisite support

Documentation & Support

Step-by-step guides, configuration help, and community support through WordPress.org.

View DocsSupport Forum

Open Source on GitHub

View the source, report bugs, or contribute. This plugin is free and open source under the GPL.

View SourceReport Issue

Need Something Custom?

We build custom WordPress plugins tailored to your exact requirements.

Custom DevelopmentAll Plugins