WordPress includes a REST API that allows applications to interact with your site using JSON data. By default, many REST API endpoints are publicly accessible, including those that expose user information. On ruachost.com, you can restrict access to these endpoints for better security.
Why Disable REST API Endpoints?
-
Prevents unauthorized access to sensitive data (e.g., user lists).
-
Reduces exposure to automated attacks.
-
Helps harden WordPress security without breaking admin functionality.
Steps to Disable REST API for Non‑Authenticated Users
-
Log in to WordPress as the administrator.
-
In the dashboard, go to Appearance → Theme Editor.
-
From the right‑hand column, select functions.php.
-
Scroll to the bottom of the file and add the following code:
add_filter( 'rest_authentication_errors', function( $result ) { if ( true === $result || is_wp_error( $result ) ) { return $result; } if ( ! is_user_logged_in() ) { return new WP_Error( 'rest_not_logged_in', __( 'You are not currently logged in.' ), array( 'status' => 401 ) ); } return $result; }); -
Click Update File to save changes.
✅ Now, only logged‑in users can access REST API endpoints. Non‑authenticated users will see the message:
You are not currently logged in.
Important Notes
-
Do not disable the REST API completely, as it is required for WordPress admin functionality.
-
Always back up your site before editing theme files.
-
Use a child theme to preserve changes during updates.
-
Test thoroughly to ensure plugins or themes that rely on the REST API continue to work.
