The WordPress REST API provides a powerful and straightforward way to interact with your site’s data through a set of HTTP endpoints. It allows you to access and manipulate various types of content, including users, posts, taxonomies, and more, all in a simple JSON format. Whether you need to retrieve information or update existing data, you can do so effortlessly by sending HTTP requests.
The REST API is highly versatile and can be utilized across a wide range of platforms. It is not limited to just web applications; you can also use it in mobile apps, desktop applications, and any other devices that have internet access. This flexibility enables seamless integration and interaction with your site from virtually anywhere, making it an essential tool for modern web development and application integration.
Clean the REST API Response
When you access the base route of your site’s REST API (e.g., /wp-json/ or ?rest_route=/), the service by default returns a comprehensive list of all available namespaces and routes. This output can reveal sensitive information about the themes and plugins in use on your site, potentially exposing details that could be leveraged for malicious purposes.
Enabling this option will clean the REST API response by limiting the information disclosed. This enhances your site’s security by preventing the exposure of internal data and configurations that could be exploited. For improved protection and to safeguard against potential vulnerabilities, it is highly recommended to select “Yes” for this option. This ensures that unnecessary details are not made publicly available, reducing the risk of information leaks.
New JSON Path
This option allows you to customize the slug used in the JSON API endpoint of your site. You can specify any alphanumeric characters for this field to create a unique path for accessing the API. For example, if the default slug wp-json
is in use and you choose custom-api
as the new slug, the updated URL for your JSON API would be:
http://your-domain-name/custom-api/
Changing the JSON path can help enhance security by obscuring the default endpoint and reducing the likelihood of targeted attacks. Additionally, it allows you to better integrate the API with your site’s structure or branding. Ensure the new path is easy to remember and relevant to your API’s purpose for effective use and management.
Block Default /wp-json
This option allows you to control access to the default JSON REST API endpoint (/wp-json
) on your site. You can choose to block the API service for specific user types or entirely, depending on your needs:
- Non Logged-in: Select this option to block access to the JSON REST API for all users who are not logged in. This restricts unauthenticated users from interacting with the API, while still allowing access for logged-in users. This setting is often recommended if you need to limit exposure of the API to non-authenticated visitors but still want to permit functionality for authenticated users, such as those using plugins or the WordPress Gutenberg editor.
- All: Choose this option if you want to block access to the JSON REST API for everyone, including logged-in users. This will completely disable the API service, which might be necessary for certain security requirements or specific plugin functionalities that require the API to be turned off.
Blocking the API can be useful for enhancing security, reducing unnecessary exposure, or complying with specific plugin requirements. If you need to restrict access while keeping the API functional for authorized users, the “Non Logged-in” option is generally the most appropriate choice.
Disable JSON REST V1 service
Selecting this option will disable the version 1 of the JSON REST API service on your site. The REST API provides a structured way to interact with your site’s data via HTTP requests, and version 1 (v1) represents an earlier iteration of this API.
Disabling JSON REST V1 is typically done for the following reasons:
- Security: Older versions of the API might have vulnerabilities or deprecated features that could be exploited. By disabling v1, you reduce the risk of potential security issues associated with outdated endpoints.
- Performance: Reducing the number of active API versions can streamline server performance and minimize the resources used for handling outdated requests.
- Compatibility: If your site or its plugins are designed to use newer API versions (such as v2 or v3), disabling older versions can prevent conflicts and ensure smoother operation.
Be aware that disabling JSON REST V1 may impact certain functionalities if any of your site’s themes or plugins rely on this older API version. Ensure that all components of your site are compatible with the newer API versions before making this change.
Disable JSON REST V2 service
This option allows you to completely disable the JSON REST API Version 2 service on your site. The REST API V2 provides a standardized way for applications to interact with WordPress, offering endpoints for accessing and manipulating site data such as posts, pages, users, and custom content.
By selecting this option, you will turn off all functionality provided by REST API V2. This means that any external applications, plugins, or integrations relying on this API version will no longer be able to retrieve or submit data through these endpoints. This can enhance security by eliminating potential vectors for attack or data exposure, particularly if you do not utilize API-based integrations.
Disabling the REST API may be necessary for specific use cases, such as when working with sensitive information or in highly controlled environments. However, be aware that this action could impact the functionality of third-party plugins or services that depend on the API for interaction with your WordPress site. If you require the API but want to limit access, consider using more granular control options or the ability to restrict access based on user roles or authentication status instead.
Disable Output of the REST API Link Tag in Page Header
By default, WordPress includes a link tag for the REST API in the HTML <head>
section of your site’s pages. This tag provides a reference to the REST API endpoint, which can be useful for various plugins and integrations that rely on the API.
Selecting this option will prevent the REST API link tag from being added to the page header. This can be beneficial for security reasons, as it reduces the exposure of your API endpoint to potential attackers or unauthorized users. Additionally, it can help declutter the HTML source of your pages, which might be advantageous for performance or privacy concerns.
Keep in mind that removing this link may affect certain functionalities, such as plugins or scripts that rely on detecting or interacting with the REST API directly through this link. If you use tools or integrations that depend on the REST API being referenced in the page header, you may need to ensure that they have alternative means of accessing the API or consider the implications before making this change.
Disable JSON REST WP RSD Endpoint from XML-RPC Responses
The RSD (Really Simple Discovery) endpoint is part of the XML-RPC protocol used by WordPress to provide metadata about the site’s available APIs. By default, this endpoint is included in XML-RPC responses to inform external applications about the available REST API endpoints and other service details.
Selecting this option will disable the inclusion of the JSON REST WP RSD endpoint from XML-RPC responses. This action prevents the REST API endpoint information from being exposed through XML-RPC, thereby enhancing security by minimizing the potential for revealing sensitive API details to external applications or potential attackers.
Disabling this endpoint is particularly useful if you want to obscure the REST API details and reduce potential attack vectors. However, note that some external applications or services that rely on XML-RPC and require REST API information might be impacted by this change. Ensure that any integrations or services relying on XML-RPC functionality are tested to confirm they are not adversely affected by this adjustment.
Disable Sending a Link Header for the REST API
This option allows you to disable the inclusion of the Link
header in REST API responses. The Link
header provides information about related resources, such as pagination links or other relevant endpoints, and is included in the HTTP response headers by default.
By selecting this option, you will prevent WordPress from sending the Link
header in REST API responses during the template_redirect
phase. This can be beneficial for improving security and privacy by limiting the information available about the REST API endpoints and their relationships. It also helps reduce the amount of metadata exposed to potential attackers or unauthorized users.
Disabling the Link
header may also reduce the risk of automated attacks that exploit knowledge of your API’s structure or pagination to gather data. However, be aware that some applications or services that rely on the Link
header for efficient data retrieval or navigation might be affected. It is advisable to consider the impact on any integrations or functionalities that might depend on this header before making this change.