It’s been a cat and mouse game for me over the past few months, dealing with the REST API requests made to my WordPress site. The overwhelmingly large majority of these requests are not benign. They’re hackers scanning for weaknesses. I’d written an article earlier on how I disabled JSON username enumeration based on the REST API. But I continued to get other requests that bypassed my cache and hit the origin server for no good reason. After several attempts to try and filter out only the legitimate requests, I finally gave up and disabled the REST API entirely.
If it’s safe for your website to do this, I suggest you follow in my footsteps. Here’s what the REST API is, and what you need to keep in mind before removing it.
REST Allows Structured Access to Your Site
The purpose of the REST API, is that it allows 3rd parties to get information about your site without needing to visit any pages. So for example, if you want a list of authors on the site, you can just craft a JSON request that looks like this:
https://[yoursite]/wp-json/wp/v2/users/
Voila! Now anyone can see all the users on your site. The WordPress team has publicly made it clear that this is not a security risk. Those of us who maintain our own websites on the other hand, know better. We know that it’s best to withhold as much information as possible from outsiders to make it harder to hack. Just like one of the first things you do on a new VPS server is to change the SSH port from its default 22. The idea is to make life harder for hackers, and not give them any free wins.
REST allows you to do a lot more than just list the authors. You can get a list of categories, the entire taxonomy of the site, and a lot more.
It’s so comprehensive in fact that it’s futile to go about blocking it piecemeal. It’s easier to just dump the whole thing.
The Consequences of Disabling REST
You should keep in mind however, that there could be some consequences to disabling the REST API. For me, the biggest one that comes to mind is that the Gutenberg editor needs REST to function properly. I’m not sure why, but it does.
So as a compromise, whenever I’m working on a new or existing post, I briefly enable the REST API in my firewall settings, and then re-enable it when I’m done!
Another issue you’ll have is that the Jetpack plugin won’t work properly. It needs the API to communicate with WordPress. Personally, this doesn’t affect me because I stopped using Jetpack a while back and found other alternatives.
Also, the WordPress tool that checks site health will complain that REST isn’t enabled. I just ignore it.
Blocking REST via the Firewall
I use the Cloudflare firewall to just block all URLs that contain:
/wp-json
And while working on a post, I just temporarily disable this firewall rule. It’s a system that works great for me!
Disabling REST via WordPress Isn’t Enough
You can also use the “”rest_endpoints” filter to remove the APIs from WordPress. However, it’s still not an ideal solution because these requests go through your cache and hit the origin server directly, which still has to work to generate a response. What you want is for these requests to be shut down immediately so that your main server doesn’t get burdened. And that’s why I recommend blocking it with a firewall. There’s no need to even disable it in the background!
Hopefully, over time, the WordPress team will realize that the REST API just isn’t worth the additional hassle.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply