Herr Bischoff

How to Disable WordPress wp-json REST API

While securing a site for a consulting client, I have found several methods suggested to turn this off, none of which worked reliably by itself. The JSON API allows interesting use cases but also introduces an easy way to enumerate users.

First and foremost, since we’re talking about WordPress, of course a plugin is recommended. In this case: Disable REST API. It was last updated two years ago and comes with a rather prominent warning:

This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

It may still work but it’s pointless to introduce more points of failure through an unsupported piece of software.

Second, there are filter statements that can be added to the functions.php file of the site:

// Filters for WP-API version 1.x
add_filter('json_enabled', '__return_false');
add_filter('json_jsonp_enabled', '__return_false');

 // Filters for WP-API version 2.x
 add_filter('rest_enabled', '__return_false');
 add_filter('rest_jsonp_enabled', '__return_false');

Those however had either no effect or resulted in an HTTP 500 error.

Therefore, the only reliable method of blocking access is configuring the web server to disallow this particular route. Thankfully, Nginx was used, so it was rather straight-forward:

location ~ ^/wp-json {
    return 403;
}

While we we’re at it, do yourself a favor and disable author archives as well (if you’re not using them) by adding this short statement to your functions.php. It’s a user enumeration attack vector.

function _disable_author_archives() {
    if (is_author()) {
        global $wp_query;
        $wp_query->set_404();
        status_header(404);
    } else {
        redirect_canonical();
    }
}
remove_filter('template_redirect', 'redirect_canonical');
add_action('template_redirect', '_disable_author_archives');

Well, that’s WordPress for you.