This plugin does one thing: disables the WP REST API for visitors who are not logged into WordPress. No configuration required.

This plugin works with only 22 short lines of code (less than 2KB). So it is super lightweight, fast, and effective.


  • Disable REST/JSON for visitors (not logged in)
  • Disables REST header in HTTP response for all users
  • Disables REST links in HTML head for all users
  • 100% plug-and-play, set-it-and-forget solution

The fast, simple way to prevent abuse of your site’s REST/JSON API

How does it work? That depends on which version of WordPress you are using..

WordPress v4.7 and beyond

For WordPress 4.7 and better, this plugin completely disables the WP REST API unless the user is logged into WordPress.

  • For logged-in users, WP REST API works normally
  • For logged-out users, WP REST API is disabled

What happens if logged-out visitor makes a JSON/REST request? They will get only a simple message:

„rest_login_required: REST API restricted to authenticated users.“

This message may customized via the filter hook, disable_wp_rest_api_error. Check out this post for an example of how to do it.

Ältere Versionen von WordPress

For WordPress versions less than 4.7, this plugin simply disables all REST API functionality for all users.

More information available below in the FAQs section.


Dieses Plugin sammelt und speichert keine Benutzerdaten. Es setzt keine Cookies und es verbindet sich zu keinen Drittanbietern. Daher beeinträchtigt dieses Plugin die Privatsphäre des Benutzers in keiner Weise. Wenn überhaupt, dann verbessert es die Privatsphäre des Benutzers, da es potenziell sensible Informationen vor der Anzeige/Aufruf durch die RESP API schützt.

Disable WP REST API is developed and maintained by Jeff Starr, 15-year WordPress developer and book author.

Support development of this plugin

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

Links, tweets and likes also appreciated. Thank you! 🙂


How to Install

  1. Upload the plugin to your blog and activate
  2. Done! No further configuration is required.

Weitere Infos über die Installation von WP-Plugins (engl.)


To test that the plugin is working, log out of WordPress and then request https://example.com/wp-json/ in a browser. See FAQs for more infos.

Gefällt dir das Plugin?

If you like Disable WP REST API, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!


What is the default access-denied message?

When the user is logged in to WordPress, the normal REST API data will be displayed. When the user is not logged in, this is the default message:

{"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}

Why would anyone want to disable the REST API?

Technically this plugin only disables REST API for visitors who are not logged into WordPress. With that in mind, here are some good reasons why someone would want to disable REST API for non-logged users:

  • The REST API may not be needed for non-logged users
  • Disabling the REST API conserves server resources
  • Disabling the REST API minimizes potential attack vectors
  • Disabling the REST API prevents content scraping and plagiarism

I’m sure there are other valid reasons, but you get the idea 🙂

There already is another „Disable REST“ plugin?

Yep, actually there are two other „Disable REST“ plugins:

The first of those plugins is awesome and provides a LOT more features and functionality than is required to simply disable REST. And the second plugin was shut down due to lack of use. I wrote my disable-REST plugin because I wanted something super lightweight, fast, and effective. If you are looking for more options and features, then check out the first of those two listed alternatives.

How do I test that REST is disabled?

Testing is easy:

  1. Von WordPress abmelden
  2. Using a browser, request https://example.com/wp-json/

If you see the following message, REST is disabled:

„rest_login_required: REST API restricted to authenticated users.“

Then if you log back in and make a new request for https://example.com/wp-json/, you will see that REST is working normally.

Does it disable REST functionality added by other plugins?

Yes, if the REST endpoints are registered with the WP REST API.

Funktioniert es mit dem Gutenberg/Block Editor?

Yes. It works the same regardless of which editor (Classic or Block) you are using.

Wie kannst du die Fehlermeldung anpassen?

By default the plugin displays a message for unauthenticated users: „REST API restricted to authenticated users.“ To customize that message to whatever you want, add the following code via functions.php or simple custom plugin:

function disable_wp_rest_api_error_custom($message) {

    return 'Customize your message here.'; // change this to whatever you want

add_filter('disable_wp_rest_api_error', 'disable_wp_rest_api_error_custom');

Wie wird der Zugriff für Contact Form 7 zugelassen?

As explained in this thread, the plugin Contact Form 7 requires REST API access in order for the contact form to work. To allow for this, follow this guide.

Hast du Fragen?

Sende Fragen und Feedback über mein Kontaktformular


29. März 2023
In generel a Good security concept . But at the other end many plugin developer use the Rest API Could be done much easier with a 5 3 line htaccess rule to block only ^.*wp-json/wp/v2/(users But anyway a good solution if you have a simpel installation.
28. Juli 2022 1 Antwort
while the plugin si deadsimple and very low resource impact, keep in mind that there are plugins that need the rest to work with no auth (ex. contact form 7).
Alle 33 Rezensionen lesen

Mitwirkende & Entwickler

„Disable WP REST API“ ist Open-Source-Software. Folgende Menschen haben an diesem Plugin mitgewirkt:


„Disable WP REST API“ wurde in 3 Sprachen übersetzt. Danke an die Übersetzerinnen und Übersetzer für ihre Mitwirkung.

Übersetze „Disable WP REST API“ in deine Sprache.

Interessiert an der Entwicklung?

Durchstöbere den Code, sieh dir das SVN Repository an oder abonniere das Entwicklungsprotokoll per RSS.


If you like Disable WP REST API, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!


  • Tests on WordPress 6.4


  • Tests on WordPress 6.3


  • Fixes incorrect variable name
  • Tests on WordPress 6.2


  • Adds functionality to whitelist $_SERVER vars
  • Adds functionality to allow for array of vars
  • Updates default translation template
  • Tests on WordPress 6.1 + 6.2 (beta)
  • Tests on PHP 8.1 and 8.2


  • Improves plugin documentation
  • Tests on WordPress 6.1


  • Tests on WordPress 6.0


  • Improves documentation
  • Updates some links to external resources
  • Changes minimum required WP version to 4.6
  • Tests on WordPress 5.9


  • Tests on WordPress 5.8


  • Adds support for CF7 (Thanks to @darko-a7) (more info)
  • Adds filter hook disable_wp_rest_api_post_var
  • Tests on PHP 7.4 and 8.0
  • Tests on WordPress 5.7


  • Tests on PHP 7.4 and 8.0
  • Tests on WordPress 5.6


  • Refines readme/documentation
  • Tests on WordPress 5.5


  • Tests on WordPress 5.4


  • Tests on WordPress 5.3


  • Updates some links to https
  • Tests on WordPress 5.3 (alpha)



  • Tests on WordPress 5.1 and 5.2 (alpha)


  • Tests on WordPress 5.1


  • Adds homepage link to Plugins screen
  • Updates default translation template
  • Tests on WordPress 5.0


  • Updates GDPR blurb and donate link
  • Adds „rate plugin“ link to Plugins screen
  • Adds icons for the WordPress Plugin Directory
  • Generates default translation template
  • Further tests on WP versions 4.9 and 5.0 (alpha)


  • Erste Veröffentlichung