The WordPress REST API is a feature rolled out in WordPress 4.4 and greatly expanded in WordPress 4.7. This latest update to WordPress introduces two primary concerns for iThemes Security users, so we’ve added a way to disable the WordPress REST API using the iThemes Security plugin.
- First, the REST API authentication can bypass authentication improvements such as two-factor authentication and reCAPTCHA.
- Second, it provides access to some data without requiring any authentication.
Of these two concerns, the first is by far the most important. New features to protect against these concerns while still allowing the REST API to function as designed are in active development. The plan is to release these updated features by Thursday, December 15th.
A temporary solution to these concerns was released in iThemes Security 5.9.0 and iThemes Security 3.3.0. The temporary solution is a feature to disable the WordPress REST API.
This is not an ideal solution as this will disable embedding of posts and quick editing and Quick Draft features; however, this is meant as a temporary stop-gap while we finish up a more robust set of features for iThemes Security.
If you have questions, you can always hit the iThemes Help Desk.
How to Disable the WordPress REST API
You can easily disable the WordPress REST API using the iThemes Security plugin in just a few clicks.
- 1. Download and install the iThemes Security plugin. You can grab the free version of iThemes Security here. Make sure you’re running iThemes Security 5.9 or iThemes Security Pro 3.3+.
- 2. From the WordPress dashboard, visit the iThemes Security Settings page.
- 3. Scroll to the WordPress Tweaks section. Click “Configure Settings.”
- 4. In WordPress Tweaks, scroll to the REST API section. Here you’ll find the option to Disable REST API in the drop-down menu.
The follow settings control how the REST API feature operates. Here’s a brief explanation of the REST API Settings available:
Disable REST API – The REST API is disabled on the site. This is the recommended setting for now as it ensures that the REST API cannot bypass any authentication improvements.
Require Admin Privileges – The REST API can only be used by logged in users with admin-level privileges. This allows privileged users to test and develop with the REST API without allowing anonymous access to the data.
Enable REST API – The REST API is fully enabled and will function as normal. Use this setting only if the site makes use of the REST API.
- 5. Click the “Save Settings” button.
Success! Now you’ve disabled the REST API on your WordPress site.
The iThemes Security plugin also provides a way to disable XML-RPC and activate XML-RPC Brute Force Protection. WordPress’ XML-RPC feature allows external services to access and modify content on the site. (Common example of services that make use of XML-RPC are the Jetpack plugin, the WordPress mobile app, and pingbacks.)
If your WordPress site does not use a service that requires XML-RPC, select the “Disable XML-RPC” setting as disabling XML-RPC prevents attackers from using the feature to attack the site. You’ll find this feature located right about the Disable REST API feature in the WordPress Tweaks section of the iThemes Security plugin.
Secure Your WordPress Site with iThemes Security Now
Using a WordPress security plugin such as iThemes Security Pro is a great way to add an extra layer of protection to your WordPress site. Get WordPress two-factor authentication, WordPress malware scan and more with iThemes Security Pro.