On This Page
For WordPress Users Who Aren’t Developers
If you aren’t a developer but you manage your own WordPress installation, this article is meant for you.
The WordPress developer community is buzzing about WP API, also known as JSON REST API. And, because developers are the ones who use and will use WP API, most discussions are rather technical. Even definitions meant for non-developers tend to be rather technical and can even seem circular. Many developers even have difficulty understanding what this is all about.
If the first paragraph of the API entry on Wikipedia is your kind of language, you probably don’t need this article:
In computer programming, an application programming interface (API) is a set of subroutine definitions, protocols, and tools for building application software. A good API makes it easier to develop a computer program by providing all the building blocks, which are then put together by the programmer. An API may be for a web-based system, operating system, database system, computer hardware, or software library. An API specification can take many forms, but often includes specifications for routines, data structures, object classes, variables, or remote calls. POSIX, Microsoft Windows API, the C++ Standard Template Library, and Java APIs are examples of different forms of APIs. Documentation for the API is usually provided to facilitate usage. The status of APIs in intellectual property law is controversial.
But if tech speak isn’t your forte, my (over)simplification might be useful to you.
Why Disable the WP API?
With WP API, some logins can bypass login security improvements such as two-factor authentication and reCAPTCHA. This could be a serious issue. The WP API also provides access to some data without requiring any authentication at all. The WP API has been around for a long time. But not until now was it exposed to the Internet as part of the core functionality of WordPress.
Your WordPress Installation is probably not (yet) using the WP API. (But if your site is exchanging data with another source other than RSS, be sure to speak with your developer before disabling the WP API.) Now that the WP API is part of WordPress core, it is the future of WordPress, but it’s not the present of WordPress. Turning off WP API could enhance your website’s security until you need it for a theme, a plugin, or other functionality. A good general security rule of thumb in computing is not to leave anything open that isn’t being used.
First, Some Definitions
What’s An API?
API stands for “Application Programming Interface”. A program’s API makes some of what it does available to other programs. Programmers connect their software to someone else’s software using APIs.
There’s a clever description of API on Yahoo Answers:
As a baseball analogy, an API is the rule book. If you did not know anything about the inner workings of baseball, you would get a copy of the rule book. This book would show you what each player’s (the functions or classes) responsibilities are, how the players are supposed to interact with each other (the signals or methods), and what the players need to play the game such as baseballs, gloves, and bats (the variables and inputs). Once you know the rules (the API), you should be able to go out and build your own baseball team (program) or at least be able to play on another baseball team (a library).
Examples of APIs that you’ve likely seen in action:
- An app on your smartphone using Google Maps to display the location of something;
- A mobile app that lets you post on Facebook, Twitter, Instagram, etc;
- A service or game that allows you to login using Facebook or Twitter.
What’s a REST API?
REST stands for “REpresentational State Transfer”. A REST API is designed to move more data between applications or websites using less bandwidth. Because of this, REST API is perfect for high volume web services like Google Apps, Facebook, Twitter, and… WordPress.
CRUD stands for “Create, Read, Update, and Delete”. Out of the box, the WP API can CRUD posts, pages, custom post types, custom page types, media, comments, taxonomies, and users. These can be extended in many ways.
What Is The WordPress JSON REST API?
Ok, now maybe at least the name will make sense to you.
The WordPress JSON Rest API (WP API) is essentially a data interchange tool. In other words, it allows developers to read WordPress content from other applications and websites. It also allows other applications and websites to write to WordPress.
How to Disable the WP API
Now that you have a better idea about what the WP API is, you might want to disable it. The free version of iThemes Security Plugin makes it easy. The free plugin also has other security features that could be useful to you. It helps to lock down your WordPress installation by plugging common security holes, protecting against automated attacks, and strengthening user credentials. The Pro version has many enhanced features. The iThemes security plugin is active on more than 800,000 WordPress installations. In case you’re wondering, I have no relationship iThemes.
Here are the steps:
- Install the iThemes Security Plugin. I like to use the built-in WordPress Add Plugin page as below, but you can also download it from the iThemes Security Plugin WordPress.org page.
- Activate the plugin.
- In the left sidebar of the WP Dashboard, click the newly added “Security” entry and select “Settings”.
- Scroll down to the “WordPress Tweaks” section.
- Scroll down the alphabetical list to “Rest API”, open the drop down menu, and select “Disable REST API (recommended)”. Requiring Admin Privileges will disable anonymous access to data but allow someone with administrative access to use the REST API.
- Be sure to save your settings!
You have now disabled the WP API.