This plugin does one thing: disables the WP REST API for visitors who are not logged into WordPress. No configuration required.

This plugin works with only 22 short lines of code (less than 2KB). So it is super lightweight, fast, and effective.


  • Disable REST/JSON for visitors (not logged in)
  • Disables REST header in HTTP response for all users
  • Disables REST links in HTML head for all users
  • 100% plug-and-play, set-it-and-forget solution

The fast, simple way to prevent abuse of your site’s REST/JSON API

How does it work? That depends on which version of WordPress you are using..

WordPress v4.7 en hoger

For WordPress 4.7 and better, this plugin completely disables the WP REST API unless the user is logged into WordPress.

  • For logged-in users, WP REST API works normally
  • For logged-out users, WP REST API is disabled

What happens if logged-out visitor makes a JSON/REST request? They will get only a simple message:

“rest_login_required: REST API restricted to authenticated users.”

Dit bericht kan worden aangepast via de z.g. filter hook, disable_wp_rest_api_error. Bekijk dit bericht voor een voorbeeld van hoe men dit moet doen.

Oudere versies van WordPress

For WordPress versions less than 4.7, this plugin simply disables all REST API functionality for all users.

Meer informatie beschikbaar hieronder in de FAQ’s sectie.


This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way. If anything it improves user privacy, as it protects potentially sensitive information from being displayed/accessed via REST API.


Hoe te installeren

  1. Upload de plugin naar je blog en activeer dan
  2. Klaar! Geen verdere configuratie is vereist.

Meer informatie over het installeren van WP plugins


To test that the plugin is working, log out of WordPress and then request https://example.com/wp-json/ in a browser. See FAQs for more infos.

Like the plugin?

If you like Disable WP REST API, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!


Waarom zou iemand de REST API willen uitschakelen ?

Technically this plugin only disables REST API for visitors who are not logged into WordPress. With that in mind, here are some good reasons why someone would want to disable REST API for non-logged users:

  • De REST API is mogelijk niet nodig voor niet-ingelogde gebruikers
  • Disabling the REST API conserves server resources
  • Door de REST API uit te schakelen, worden mogelijke aanvalsvectoren tot een minimum beperkt
  • Disabling the REST API prevents content scraping and plagiarism

I’m sure there are other valid reasons, but you get the idea 🙂

There already is another “Disable REST” plugin?

Yep, actually there are two other “Disable REST” plugins:

The first of those plugins is awesome and provides a LOT more features and functionality than is required to simply disable REST. And the second plugin was shut down due to lack of use. I wrote my disable-REST plugin because I wanted something super lightweight, fast, and effective. If you are looking for more options and features, then check out the first of those two listed alternatives.

Hoe test ik of REST is uitgeschakeld ?

Testen is eenvoudig:

  1. Uitloggen bij WordPress
  2. Gebruik een browser om https://example.com/wp-json/ aan te vragen

If you see the following message, REST is disabled:

“rest_login_required: REST API restricted to authenticated users.”

Then if you log back in and make a new request for https://example.com/wp-json/, you will see that REST is working normally.

Does it disable REST functionality added by other plugins?

Ja, als de REST-eindpunten zijn geregistreerd met de WP REST API.

Werkt dit met Gutenberg/blok-editor?

Ja. Het werkt hetzelfde, ongeacht welke editor (klassiek of blok) je gebruikt.

Hoe het foutbericht aan te passen?

Standaard geeft de plugin een bericht weer voor niet geverifieerde gebruikers: “REST API beperkt tot geverifieerde gebruikers.”.
Om dat bericht aan te passen aan wat je maar wil, voegt je de volgende code toe via functions.php of een eenvoudige plugin:

function disable_wp_rest_api_error_custom($message) {

    return 'Customize your message here.'; // change this to whatever you want

add_filter('disable_wp_rest_api_error', 'disable_wp_rest_api_error_custom');

Hoe toegang te verlenen tot Contact Form 7 ?

As explained in this thread, the plugin Contact Form 7 requires REST API access in order for the contact form to work. To allow for this, you can install our free plugin to allow REST access for CF7. Learn more and download at Perishable Press. When used together with the Disable REST API plugin, the CF7 addon will enable sending emails to work again.

Heb je een vraag?

Stuur vragen of andere feedback via mijn contactformulier


4 september 2021
Just install and activate, this plugin will do the rest for you.
9 juli 2021
Blocking potential entry points and attack vectors is key to maintaining a healthy website. This small but efficient tool does what it says without fuss or impacting your sites' functions. Nothing to lose by installing it and a potential attack point blocked 🙂
25 mei 2021
I'm not using the rest API, neither do those nasty crackers out there.
22 mei 2021
I just recently learnt about REST API in WP. I already used "My Private Site"-Plugin which restricts access to content to logged in users. But this works only for the web frontend. Via default enabled REST API still everyone is capable to read all posts! This I unfortunately did not know until I heard about in a tech podcast. What I also like about this plugin at least in the current version it does not simply turn off REST API it just restricts access to logged in Users. So, if your logged in (e.g., via application password) you can still access the API. This is excellent! I just wished "My Private Site"-Plugin would also have thought about WP's REST API. Everyone using this plugin in my opinion will also be interested in not still granting access to content for everyone via REST.
9 februari 2021
Read about it in CT! Magazine. Makes a difference and I thank you for that.
Lees alle 23 beoordelingen

Bijdragers & ontwikkelaars

“Disable WP REST API” is open source software. De volgende personen hebben bijgedragen aan deze plugin.


Vertaal “Disable WP REST API” naar jouw taal.

Interesse in ontwikkeling?

Bekijk de code, haal de SVN repository op, of abonneer je op het ontwikkellog via RSS.


If you like Disable WP REST API, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!


  • Tests on WordPress 5.8


  • Adds support for CF7 (Thanks to @darko-a7) (more info)
  • Adds filter hook disable_wp_rest_api_post_var
  • Tests on PHP 7.4 and 8.0
  • Tests on WordPress 5.7


  • Tests on PHP 7.4 and 8.0
  • Tests on WordPress 5.6


  • Refines readme/documentation
  • Tests on WordPress 5.5


  • Tests on WordPress 5.4


  • Tests on WordPress 5.3


  • Updates some links to https
  • Tests on WordPress 5.3 (alpha)



  • Tests on WordPress 5.1 and 5.2 (alpha)


  • Tests on WordPress 5.1


  • Adds homepage link to Plugins screen
  • Updates default translation template
  • Tests on WordPress 5.0


  • Gebruikt GDPR blurb en donatie link
  • Voegt “waardeer plugin” link toe aan het plugins scherm
  • Adds icons for the WordPress Plugin Directory
  • Generates default translation template
  • Further tests on WP versions 4.9 and 5.0 (alpha)


  • Initiële versie