Skip to content

Securing your WordPress site involves controlling access to essential functionalities. In this guide, we’ll explain how to disable the WP REST API for unauthorized users without relying on plugins. By implementing this approach, you can bolster your website’s security while maintaining optimal performance.

Understanding the Need to Disable WP REST API

The WordPress REST API offers developers a versatile tool for data interaction. However, maintaining security requires regulating API access. In this guide, we’ll walk you through the steps to restrict the WP REST API access for unauthorized users.

Disabling WP REST API for Unauthorized Users: Step-by-Step

Step 1: Apply the Filter

Disabling the WP REST API is achievable by utilizing the rest_authentication_errors filter. By integrating the following code snippet into your theme’s functions.php file, you can gain control over your site’s REST API access:

add_filter( 'rest_authentication_errors', function( $result ) {
    if ( true === $result || is_wp_error( $result ) ) {
        return $result;

    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            esc_html__( 'You are not currently logged in.' ),
            array( 'status' => 401 )

    return $result;

Step 2: Verify and Test

After applying the code, rigorously test your website. Ensure that unauthorized users are met with a 401 Unauthorized status, demonstrating that access to WP REST API is restricted.

Benefits of Disabling WP REST API for Unauthorized Users

  • Enhanced Security: By regulating access, you safeguard your site from potential vulnerabilities and protect sensitive data from unauthorized exposure.
  • Preserving Confidentiality: Limiting API access guarantees that private data remains inaccessible to unauthorized entities, maintaining the confidentiality of your website’s information.


Securing your WordPress site extends beyond traditional measures. By following this guide to disable the WP REST API for unauthorized users, you actively contribute to your website’s safety. The outlined steps empower you to control access to critical functionalities, ensuring a secure online environment for both you and your visitors.

For more comprehensive insights into controlling the WordPress REST API, consult the official WordPress documentation: Can I Disable the REST API?.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.