Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

How To Disable the WordPress REST API

Written by Cory Miller on December 9, 2016

Last Updated on December 22, 2016

UPDATE: We’ve shared new information about the REST API and iThemes Security here.

***

The WordPress REST API is a feature rolled out in WordPress 4.4 and greatly expanded in WordPress 4.7. This latest update to WordPress introduces two primary concerns for iThemes Security users, so we’ve added a way to disable the WordPress REST API using the iThemes Security plugin.

  • First, the REST API authentication can bypass authentication improvements such as two-factor authentication and reCAPTCHA.
  • Second, it provides access to some data without requiring any authentication.

Of these two concerns, the first is by far the most important. New features to protect against these concerns while still allowing the REST API to function as designed are in active development. The plan is to release these updated features by Thursday, December 15th.

A temporary solution to these concerns was released in iThemes Security 5.9.0 and iThemes Security 3.3.0. The temporary solution is a feature to disable the WordPress REST API.

This is not an ideal solution as this will disable embedding of posts and quick editing and Quick Draft features; however, this is meant as a temporary stop-gap while we finish up a more robust set of features for iThemes Security.

If you have questions, you can always hit the iThemes Help Desk.

How to Disable the WordPress REST API

You can easily disable the WordPress REST API using the iThemes Security plugin in just a few clicks.

    • 1. Download and install the iThemes Security plugin. You can grab the free version of iThemes Security here. Make sure you’re running iThemes Security 5.9 or iThemes Security Pro 3.3+.
    • 2. From the WordPress dashboard, visit the iThemes Security Settings page.
    • 3. Scroll to the WordPress Tweaks section. Click “Configure Settings.”

json rest api

    • 4. In WordPress Tweaks, scroll to the REST API section. Here you’ll find the option to Disable REST API in the drop-down menu.

rest-api-wordpress

The follow settings control how the REST API feature operates. Here’s a brief explanation of the REST API Settings available:

Disable REST API – The REST API is disabled on the site. This is the recommended setting for now as it ensures that the REST API cannot bypass any authentication improvements.

Require Admin Privileges – The REST API can only be used by logged in users with admin-level privileges. This allows privileged users to test and develop with the REST API without allowing anonymous access to the data.

Enable REST API – The REST API is fully enabled and will function as normal. Use this setting only if the site makes use of the REST API.

    • 5. Click the “Save Settings” button.

Success! Now you’ve disabled the REST API on your WordPress site.

Disabling XML-RPC

The iThemes Security plugin also provides a way to disable XML-RPC and activate XML-RPC Brute Force Protection. WordPress’ XML-RPC feature allows external services to access and modify content on the site. (Common example of services that make use of XML-RPC are the Jetpack plugin, the WordPress mobile app, and pingbacks.)

If your WordPress site does not use a service that requires XML-RPC, select the “Disable XML-RPC” setting as disabling XML-RPC prevents attackers from using the feature to attack the site. You’ll find this feature located right about the Disable REST API feature in the WordPress Tweaks section of the iThemes Security plugin.

Secure Your WordPress Site with iThemes Security Now

Using a WordPress security plugin such as iThemes Security Pro is a great way to add an extra layer of protection to your WordPress site. Get WordPress two-factor authentication, WordPress malware scan and more with iThemes Security Pro.

Get iThemes Security Pro

Cory Miller
Cory Miller

Founder of iThemes.com

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
Authentication Bypass Vulnerability
What is an Authentication Bypass Vulnerability? 7 Things to Know
WordPress vulnerability report
WordPress Vulnerability Report – June 22, 2022
what-is-a-pharma-hack
What is a WordPress Pharma Hack?
wordpress vulnerability report
WordPress Vulnerability Report – June 15, 2022

Comments

  1. Alain Schlesser says:
    December 9, 2016 at 10:23 am

    Hey Cory,

    I generally agree that you should disable anything you don’t need on a server.

    In this case, however, you need to be aware that one of the consumers of the WP REST API is the site’s admin backend. Some components already use the WP REST API as of 4.7 (Quick Draft, Press This), and more will follow. That’s the reason why the switch to easily disable the API has been removed: https://core.trac.wordpress.org/ticket/38446

    So, although there are still options to make the WP REST API unusable for external requests, disabling it entirely is not amongst them, as it will just break site functionality (more and more with each coming update).

    Cheers,
    Alain

    Reply
    • Chris Jean says:
      December 12, 2016 at 2:04 pm

      Hi Alain. I’m the main dev being iThemes Security. I went through and updated the post to better reflect the current situation. This feature is a temporary solution that prevents side-stepping important authentication improvements, giving us enough time to create a better solution.

      I have three primary goals with the features I’m working on right now:

      • Ensure that the REST API cannot be used as a method of side-stepping security choices made buy users.
      • Give the user control over how the REST API functions on their site.
      • Give the user knowledge on how the REST API is being used on their site.
      Reply
  2. Edwin Cromley says:
    December 9, 2016 at 6:13 pm

    Hello iThemes team,

    It is great to see that you hold your user’s security as a top priority. I think this article is important and informative. However, I do have a suggestion on what should be the recommended option for your customers. Instead of “Disable REST API” being the recommended option. I would encourage you to change the recommended option to “Require Admin Privileges”, with some sort of brute force protection in place.

    More and more features of WordPress will be using the WP REST API and simply disabling it, will leave a lot of iThemes customers out on the improvements made to their WordPress site. The WP REST API enables more seamless user experiences that I believe iThemes customers will want to partake in. It is not only plugins that will use the API but WordPress core is slated to rely on it more heavily.

    I think it is important to offer the option to completely disable the REST API, but it should come with a warning of the consequences, not a recommendation for users, as it could potentially break certain functionality of their site.

    The API was designed with security as a major priority and by default it only exposes information that is already publicly available through a WordPress site.

    iThemes does great work, and I look forward to seeing how iThemes handles security regarding the new WP REST API.

    Reply
    • Chris Jean says:
      December 12, 2016 at 2:17 pm

      Hi Edwin. Much of my reply above to Alain applies here as well.

      I strongly considered making the Require Admin Privileges setting the recommended setting; however, that would still open up those accounts to having two-factor, reCAPTCHA, and other authentication protections bypassed. So, I decided that the disable setting was the only one I could recommend using for now.

      Reply

Respond

Click here to cancel reply.

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap