The WordPress REST API is a powerful feature that enables developers to interact with a site’s data programmatically. While useful for headless setups, custom apps, and AJAX calls, it can also expose sensitive information if left unsecured.
By default, the REST API allows unauthenticated users to access a variety of endpoints, including details about users, posts, and taxonomies.
In this post, we’ll walk through several safe ways to secure your REST API without disrupting core functionality or plugin features that depend on it.
Why Secure the REST API?
Some REST API endpoints expose data that could be used by attackers for enumeration or reconnaissance. For example:
/wp-json/wp/v2/users– lists all users (including usernames)/wp-json/wp/v2/posts– public by default, even unpublished in some setups
Securing these endpoints can help prevent brute-force, phishing, and content scraping attacks.
Option 1: Restrict Access to Authenticated Users
You can allow only logged-in users to access the REST API by adding the following code to your theme’s functions.php or a custom plugin:
add_filter('rest_authentication_errors', function($result) {
if (!is_user_logged_in()) {
return new WP_Error('rest_forbidden', 'You must be logged in to access the REST API.', array('status' => 401));
}
return $result;
});Note: This will block all unauthenticated REST API access – including AJAX calls from the frontend that rely on public endpoints. Use with caution.
Option 2: Restrict Specific Endpoints Only
If you want to restrict only certain endpoints (like users), use this more targeted approach:
add_filter('rest_endpoints', function($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
return $endpoints;
});This method disables access to /users while keeping the rest of the API intact.
Option 3: Block REST API for Specific Roles
You can limit access based on user roles. For example, block REST API access for subscribers:
add_filter('rest_authentication_errors', function($result) {
if (is_user_logged_in() && current_user_can('subscriber')) {
return new WP_Error('rest_forbidden', 'Subscribers cannot access the REST API.', array('status' => 403));
}
return $result;
});Option 4: Hide REST API User Data from Public
Instead of disabling the endpoint entirely, you can filter out sensitive fields from the users endpoint:
add_filter('rest_prepare_user', function($response, $user, $request) {
if (!current_user_can('edit_users')) {
$response->data['email'] = ''; // Hide email
$response->data['name'] = ''; // Hide display name
}
return $response;
}, 10, 3);Option 5: Use a Security Plugin
Plugins like Wordfence, iThemes Security, or Disable REST API give you toggles to limit access without writing code. These tools offer granular control over what’s accessible and to whom.
Testing Your API Security
To test your changes, visit:
https://yoursite.com/wp-json/– See available routeshttps://yoursite.com/wp-json/wp/v2/users– Check if user data is exposed
Use tools like Postman or your browser’s network inspector to monitor responses and verify that access is restricted as expected.
Final Thoughts
While the REST API is essential for many modern WordPress features, securing it is equally important. Whether you hide sensitive data, block specific endpoints, or restrict access based on roles – the goal is to reduce exposure without breaking functionality.
Need more help securing your site? Check out our full guide on WordPress security hardening tips.
