plugin-icon

Turn Off REST API

لصاحبه ksym04·
Disable the WordPress REST API for logged out visitors and lock down your /wp-json endpoints, with a per route allow list so you stay in control.
disable REST API
JSON
rest-api
تقييمات
إضافة مراجعة
النسخة
1.1.0
التنصيبات النشطة
100
آخر تحديث
Jun 25, 2026

Turn Off REST API is a lightweight WordPress security plugin that disables the WordPress REST API for visitors who are not logged in. Anonymous requests to your /wp-json endpoints receive an authentication error instead of your site data, while logged in users, your theme, and your plugins keep working normally.

By default WordPress exposes a large amount of information through the REST API, including your list of user accounts and usernames, published content, and details about your site. For most sites that open, unauthenticated access is unnecessary and only widens the attack surface for user enumeration and content scraping. Turn Off REST API closes the WordPress REST API to the public in one click, then gives you a clear settings screen to reopen only the specific REST API routes you actually need.

Why turn off the WordPress REST API?

  • Stop anonymous user enumeration through /wp-json/wp/v2/users.
  • Reduce your attack surface against REST API based exploits and bots.
  • Keep your content and site data from being scraped through the public API.
  • Stay in control with a per route allow list instead of an all or nothing switch.

What it does

  • Returns an authentication error for unauthenticated REST API requests.
  • Optionally removes the REST API discovery links and headers from your page source.
  • Lets you build an allow list of routes that should stay public (for example a contact form or a specific integration).
  • Adds a Site Health check so the restriction is clearly explained and never mistaken for a fault.
  • Keeps the admin area, the block editor, and logged in functionality fully working.

Built for control, not breakage

Some security plugins disable the REST API completely and break the block editor or third party integrations in the process. Turn Off REST API only blocks unauthenticated access, and the per route allow list means you can whitelist exactly the endpoints a service needs without opening the whole API back up.

Developer friendly

The access decision runs through the tora_grant_rest_api filter, so developers can extend or override the logic for custom roles, application passwords, or trusted requests.

مجانيعلى الخطط المدفوعة
ابدأ
إذا أتممت بالتثبيت، فإنك توافق على شروط خدمة ووردبريس.كوم ووشروط إضافات الأطراف الثالثة.
تم اختباره حتى
WordPress 7.0
تتوفّر هذه الإضافة للتنزيل لتُستخدم في عملية التثبيت لديك.
تنزيل