Have you restricted access to your WordPress REST API?

If you are unsure what the WordPress REST API is, or you know you aren’t going to be using it, then you should consider limiting access to it.

Put simply the REST API is an endpoint which other applications and services can use to retrieve data from your WordPress website. By default it exposes posts, pages, comments, and users with authored content. Although some information is restricted to authenticated users only. Click here to see the full list from the WordPress developer docs.

However don’t be concerned about this unless you are storing sensitive data in your posts, using basic authentication, or have no SSL. If any of these ring true, then it’s time to restrict access and improve your security practices.

To limit access use plugins like Disable REST API and Disable WP REST API. These will restrict access to authenticated users and applications only.

Additionally Disable REST API can limit which specific endpoints within the REST APIĀ  can be targeted by authenticated users. So access could be provided only to posts, categories, and tags if desired.


If you are only using basic auth and not making use an SSL or two-factor authentication or other methods, I strongly suggest you change this now. Your website is only as secure as you allow it to be. I wrote a short post about two-factor authentication and another about using passphrases.

A lot of hosting companies now offer free basic SSLs through services like Let’s Encrpyt so talk to your hosting provider and see what options are available. It’s important to keep your website and data as secure as you can.

Return to all articles